GDPR is one of the things that both EU citizens like to brag about, and companies like to advertise with. But as someone who does make extensive use of it, the entire process is flawed, the laws are ignored, and enforcement is borderline impossible. It's the data protection equivalent of the cookie popups, which I'd even argue are more effective in their goal.
Whenever a company has my data and uses it for marketing purposes without an easy opt out, or a company has my data and I stop using their services, I generally like to have the data deleted or to withdraw certain consent like for marketing purposes. Sometimes this is easy, but sometimes it requires invoking my GDPR rights as a EU citizen to actually get done.
In the past year I have made around 20 GDPR data deletion/information requests to various companies. Only 2 have complied immediately, further 6 have complied after filing a complaint with the data protection office, the remaining 12 have not complied. Large companies, charities, companies that advertise explicitly with "Made in EU/GDPR Compliant". From Greenpeace, government funded museums, to open source companies, completely fail at this.
💡 I am aware that some data, such as invoices, or other data may be kept for longer period due to various financial laws. Whenever I speak of "data" in this article I'm referring to things like profile pictures, phone number(s), emails, stored addresses, online accounts viewable by others, and so on.
GDPR for marketing only
Let's look at how one of the bigger companies in 3D Printing world, that often gets mentioned for their privacy and the fact that they're from EU and GDPR compliant, Prusa 3D, handles a simple request to delete user data:
Step one, change the user's email
Step two, say that you deleted the data:
To this day, I still can view and verify that they have in fact not deleted my data. I even added a "GDPR Failed" address to my account after the email, so they're not even blocking it in some way.
The email says "request from 28 November 2025", the truth is that I sent a GDPR deletion request in 2024, and this was just a reminder that they still haven't processed it. This is also after the "GDPR Advisor" saying that requesting data deletion via email isn't even legally allowed, which is completely wrong.
... continue reading