GDPR violation when inviting a new admin and no reply from euprivacy email
Hello,
When an organization administrator invite a new administrator, the new administrator receive advertising from Zyxel before the account has been validated/created. Since Zyxel doesn't know if the e-mail address is professional or personal, this is a GDPR breach as opt-in is mandatory and opt-out is forbidden.
You can lookup ticket 376913 which is now 1 month old. GDPR enforce a 1 month maximum delay for GDPR requests. As is, the user could fill a complain against Zyxel, and Zyxel would lose. You could argue the ticket is not a the euprivacy contact, but they are in CC in this ticket.
Now that I have your attention, could you proceed to not blindly sign-up e-mails to advertising in a way even your regional sales team cannot see where you did that?
I usually keep issues like that private and try to resolve them by contacting the regional team, but they do not have access to the database where you stored this sub and I trust them when they say they triple checked as I see them regularly and they always did the needful instantly before.
Actively breaching GDPR on purpose is not a good way to expand business in EU and blinding your regional teams doesn't help them do their work and comply to lawful administrative requests.
All Replies
-
I don't see how it is a breach, you signed them up and created an account for them regardless whether they verified it or not. Once registered on the platform you expect to get email notifications.
I don't know what your deal is, all you seem to be doing is posting on these forums to find faults and complain about ZyXel and their products.
0 -
Hello Pook.
Sending advertising to personal email addresses that didn't explicitly opted in to them in an enlightened way is illegal per GDPR and local laws. When an org owner or MSP invite a new user and said new user receive ads before the account is created, it is a breach because the receiving end didn't opt-in in any enlightened way since the option to opt-in wasn't presented yet.
Zyxel cannot know in advance if the email used to invite a new user is personal or professional and they cannot assume as it will lead to violation. The platform doesn't ask which one it is.
Consent must be free, specific, informed and unambiguous. To be valid, it requires positive and specific action by the data subject (for example, a dedicated checkbox that is not pre-ticked). The acceptance of general conditions of use is not sufficient. The agreement must be free.
Advertising by email is possible provided that people have given their explicit consent before being solicited.Not after.
Gov owned website explaining it here.
0 -
Hi @Zulgrib,
Thank you for reaching out and highlighting this matter. I appreciate your patience as I thoroughly investigate this ticket.
In order to expedite the resolution process, could I kindly request you forward the advertising email in question to me? Please send it over via private message. Thank you.0 -
Hello, I sent it by email by trying to guess your address to be able to actually transfer it as is.
I also had news from the regional Zyxel team today by phone and they mentioned Zyxel TW is actually investigating it.
Thank you. This is very important for the customers.
0 -
Hi @Zulgrib,
Thanks for sharing the email. It helps us understand your concerns.
Before we act, could I clarify when your clients received this email? Was it after they registered and started managing their organization? Or is the admin still unverified?
0 -
Hi @Zulgrib,
Thank you for your patience and understanding as we conducted our investigation into the matter you raised. We have now completed our investigation and we would like to share our findings and the steps we have taken.
We acknowledge and appreciate your concerns about privacy and the GDPR. Ensuring the utmost data privacy and compliance with GDPR is our topmost priority. Despite our continuous efforts to strictly adhere to privacy protocols, we recognize that there have been some instances where our email delivery processes did not achieve the exacting standards we aspire to. We want to assure you that any such lapse was unintentional and is taken very seriously by us.
In response to this, we have proactively removed certain email addresses from our mailing list. This is to ensure that these addresses will no longer be recipients of any promotional materials or system information emails, thus further securing their privacy in line with GDPR regulations.
Trust is a crucial aspect of our relationships, and we are dedicated to maintaining yours by upholding the highest standards of data protection. We hope that our swift action demonstrates our commitment to respecting you and your client's privacy.
0 -
Hello,
Sorry for the delay, it was when the administrator was created but unverified. (and are still unverified to this day for the affected)
Thank you @Zyxel_Melen for confirming I was right trusting Zyxel for long-term partnership. It is highly appreciated Zyxel worked toward resolving it in such short amount of time after my initial message here. For my part, I hope Zyxel to accept my apologies if I was harsh with my initial post.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight