[delroth]

> You can in detail ask about ALL personal data that was used as an input for this decision, information about the ¨automated decision-making¨ (algorithm), and all personal data that resulted out of this process. https://gdpr.eu/article-15-right-of-access/

That is only true in specific cases of processing, as detailed by article 22: "a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her".

In the case of a domain name used for email I think you could legitimately argue that the decision "significantly affected" you, but it's kind of undefined so far what the bar is for this criterion.

[srrr]

In this case cloudflare has produced a legal effect with putting the domain into pending delete because this is an ownership transfer back to the registrar (of a property they don't even own, so stupid...).

For me deleting my domain would be far worse than deleting my telephone number and significantly affect me. But yes, this is a case by case decision.

I just wanted to say something like: You have rights. Don't be afraid to use them. These companies are not above the law.

[cfsucks]

> a decision based solely on automated processing,

"this account was identified in a recent fraud review, however it appears to have been a false positive"

> which produces legal effects

Deprivation of property.

[tgsovlerkhgsel]

I suspect the workaround on the side of the companies doing this is to include human review (or appeals) to ensure the decision is no longer based "solely on automated processing".

Even if not intended, a reviewer that sees mostly true positives is very likely to become a blind rubber stamp.