It was bound to happen. In France and elsewhere organizations have been receiving phishing emails and correspondence

False "official" warning letters

Many French companies have received deceptive letters, some resembling notices from a fictitious public authority and others reproducing the logo of the French data protection authority, the CNIL. Such correspondence leads to paid services.

Examples of these notices include:

  • False "GDPR standard registration" forms fraudulently reproducing the logo of the CNIL.
  • Letters denoting "compliance-reminder" with the usurped logo of the CNIL or faxes with a "GDPR – Compliance" (in French "RGPD") header inviting the recipient to call a centralized helpline.

We recommend the following steps if you have received suspicious "official" correspondence:

  • Be wary of these any communications presented as "official " from alleged authority
  • Conduct online research about the sender/authority, keeping in mind a fake website may have been created
  • Verify the nature of the services offered
  • Read carefully the terms and conditions, if any
  • Make sure that relevant staff in your organization knows how to handle this type of mail
  • Do not pay any money
  • In case of problem, contact the CNIL and/or you your lawyer

Suspicious Data Subject Access Requests

Data Protection Officers who have publicly available email addresses have received access requests in French or in what seems to be a web translation into English or German from the following TLDs @electronicprivacy.eu, @webflip.eu, @yauo.me, @rgpd.guru.

The sender alleges having received spam and is requesting, pursuant to its access right, "confirmation that you do not have in your or your processors, database information related to my email address". The request is limited to verifying whether the company holds data and the source of this data. It expressly does not want to have access to the information linked to such an email address. The recipient also claims that any request by the controller for additional proof of his or her identity "would be excessive with regard to the request".

The correspondence is signed "a committed citizen" and contains in small print a sort an opt-out of sorts – "if you are not data controller, block your email on this link: block my email." Some recipients have also received follow-up reminders.

It seems that the four domain names used for sending the messages were created on 18 October 2018 and that all the messages were sent after 24 October and contain a tracking code.

Clicking on the opt-out link, will provide additional information regarding the reason for these emails. The emails are said to be sent by a young digital entrepreneur allegedly, for the purpose of a studying the difficulties that citizens may face when they try and exercise their rights, and notably the right to be forgotten. The study would allegedly help DPOs in their roles. The entrepreneur admits into having created the domain names and invented four identities for this purpose.

Privacy associations and other stakeholders have contacted their local data protection authority. The CNIL has not issued an official statement but has recommended responding to rather than dismissing such messages – unless they are clearly malicious (which the DPO should then document). The CNIL is worried that companies may become reluctant to allow exercise of DSARs that do not strictly fit their expected standard. In this particular case, however the CNIL has agreed that a response would not be necessary.

The Luxembourg supervisory authority (CNPD) issued a press release informing companies that e-mails from the domain "electronicprivacy.eu" are classified as phishing e-mails and recommended that organizations do not reply to any requests made through those e-mails.

The organizations, which have arranged for these phishing emails and correspondence are using the GDPR's requirements to serve their own interest or cause (however noble it may be). It is difficult to decide how to address such requests. In situations where the data protection authority has not provided clear guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.