Hello,

A therapist located in another EU country is proposing direct sessions via Zoom (so we wouldn't be using a dedicated online platform). They sent me two GDPR forms to fill out for my consent.

A) One is a standard form used by therapists in their country, with clauses and legislation specific to therapists there. It includes a contract between us (covering price, cancellations, etc.) along with GDPR clauses. This form states that my data and information from our sessions will be shared with their national health insurance offices and any third parties connected to it.
Issue: I don’t belong to their health system.

It also states that my payments and session details will be communicated to the national tax offices via the health system mentioned above to facilitate tax returns. Issue: I am not a tax resident in that country.

I believe I cannot give consent to clauses that don’t apply to me, and I would like them to remove these paragraphs. Since this form is the professional national standard in their country, and they pit alltogether (contract, GDPR, fees...) would it be legal for us to remove these GDPR clauses (relating to health insurance and tax offices)?

B) He also sent a separate module requesting consensus to record our sessions for transcription purposes and to share them with a peer for consultation. I only have experience with some onsite face to face session, and I was never asked to be recorded nor was my data shared with another peer. Is this becoming normal when online?

Thanks.

It’s been wonderful to see the growth of this community over many years, with so many great posts and so many great responses from helpful community members. But with scale also come challenges. The following updates are intended to keep the community helpful and focused:

• Rules have been clarified around recurring issues (appropriate conduct, advertising, AI-generated content).
• Post flairs have been updated to align better with actual posts.
• Community members are invited to become moderators.

New rules (effective 2025-02-02)

1. Be kind and helpful. Community members are expected to conduct themselves professionally. Discussion should be constructive and guiding. Personal attacks will not be tolerated.
2. Stay on topic. The r/gdpr subreddit is about European data protection. This includes relevant EU and UK laws (GDPR, ePrivacy, PECR, …) and matters concerning data protection professionals (e.g. certifications). General privacy topics or other laws are out of scope.
3. No legal advice. Do not offer or solicit legal advice.
4. No self-promotion or spamming. This subreddit is meant to be a resource for GDPR-related information. It is not meant to be a new avenue for marketing. Do not promote your products or services through posts, comments, or DMs. Do not post market research surveys.
5. Use high-quality sources. Posts should link to original sources. Avoid low-quality “blogspam”. Avoid social media and video content. Avoid paywalled (or consent-walled) material.
6. Don’t post AI slop. This is a place for people interested in data protection to have discussions. Contribute based on your expertise as a human. If we wanted to read an AI answer, we could have asked ChatGPT directly. LLM-generated responses on GDPR questions are often “confidently incorrect”, which is worse than being wrong.
7. Other. These rules are not exhaustive. Comply with the spirit of the rules, don't lawyer around them. Be a good Redditor, don't act in a manner that most people would perceive as unreasonable.

You can find background and detailed explanations of these rules in our wiki:

• https://www.reddit.com/r/gdpr/wiki/rules/
• https://old.reddit.com/r/gdpr/wiki/rules

Please provide feedback on these rules.

• Should some of these rules be relaxed?
• Is something missing? Did you recently experience problems on r/gdpr that wouldn’t be prohibited by these rules?
• What are your opinions on whether the UK Data Protection Act 2018 should be in scope?

Post flairs

There used to be post flairs “Question - Data Subject” and “Question - Data Controller”. These were rarely used in a helpful manner.

In their place, you can now use post flairs to indicate the relevant country.

With that change, the current set of post flairs is:

• EU 🇪🇺: for questions and discussions relating primarily to the EU GDPR
• UK 🇬🇧: for questions and discussions that are UK-specific
• News: posts about recent developments in the GDPR space, e.g. recent court cases
• Resource
• Analysis
• Meta: for posts about the r/gdpr subreddit, such as this announcement

This update is only about post flairs. User flairs are planned for some future time.

Call for moderators

To help with the growing community, I’d ask for two or three community members to step up as moderators. Moderating r/gdpr is very low-effort most of the time, but there is the occasional post that attracts a wider audience, and I’m not always able to stay on top of the modqueue in a timely manner.

Requirements for new moderators:

• You find a large reserve of kindness and empathy within you.
• You have at least basic knowledge of the GDPR.
• You intend to participate in r/gdpr as normal and continue to set a good example.
• You can spare about 15 minutes per week, ideally from a desktop computer.
• You can comply with the Reddit Moderator Code of Conduct, which has become a lot more stringent in the wake of the 2023 API protests.

If you’d like to serve as a community janitor moderator, please send a modmail with subject “moderator application from <your_username>”. I’ll probably already know your name from previous interactions on this subreddit, so not much introduction needed beyond your confirmation that you meet these requirements.

Edit: Applications will stay open until at least 2025-02-08 (end of day UTC), so that all potential candidates have time to see this post.

Call for feedback

Please feel free to use the comments to discuss the above rule changes, or any other aspect of how r/gdpr is being managed. In particular, I’d like to hear ideas on how we can encourage the posting of more news content, as the subreddit sometimes feels more like a GDPR helpdesk.

Previous mod post: r/GDPR will be unavailable starting June 12th due to the Reddit API changes [2023-06-11]

I am reviewing a project management tool called Linear (linear.app), and I’d really like to introduce it into our workflow. However, I need to ensure that employee data is processed in compliance with GDPR. While Linear provides a detailed explanation of how it processes data and claims to be GDPR compliant, I am not really convinced.

Linear is not part of the new EU-US Data Privacy Framework and relying on Standard Contractual Clauses (SCCs) for data transfer (which from what I understand is not sufficient for transferring data to the US).

Additionally, the Data Processing Addendum includes an explicit statement about data localization outside of EU. Even when a EU region is selected, it states:

Customer acknowledges that Linear’s primary processing operations take place in the United States, and that the transfer of Customer’s Personal Data to the United States is necessary for the provision of the Services to Customer.

According to their documentation, certain types of data are always stored in the United States, regardless of the selected region:

Workspace information

All user account information

User-created API keys (used for authentication and directing users to the correct region)

Given these points, I’m not really sure how Linear’s GDPR claims align with these data transfer practices.

I have thought about using nicknames or aliases for employees, which would be considered a supplementary measure to the SCCs, but that would probably just confuse the team members.

Is there any way for us to use this system and still be compliant?

First time seeing something as mad as putting opt out being put behind a paywall.

I strictly recall that part of the concept was that it should be as easy to opt in as it should be to opt out, which of course never actually ended up being the case, with options out being buried in menus and requiring sometimes manually deselecting numerous options.

The website is the Sun, a British news site & newspaper (it's god awful, but that's less important).

Hi,

I’m feeling slightly concerned, and would like advice please.

I took part in an online pregnancy research survey done through a UK University.

I received part 2 of the survey via email, and the researcher has used ‘CC’ not ‘BCC’ to email the survey to all the participant’s personal email addresses, along with thanking us for taking part in this pregnancy study etc. There’s a few hundred people on the list.

Do I have a right to make a complaint to the data protection officer?

My email address uses my full name, as do lots of others in the mailing list, and having that revealed and linked to my private medical information (pregnancy) feels wrong and alarming.

The researcher recalled the email twice but again used CC not BCC in the both recall emails?! I can still see the original email and all recipients.

Thank you

One of the ongoing issues for companies dealing with GDPR compliance is determining the appropriate retention period for system logs. While GDPR mandates data minimization and purpose limitation, different EU member states have varying interpretations of what constitutes a "reasonable" retention period for security logs. In Italy, local regulations and industry guidelines often require companies to retain logs for at least six months for cybersecurity purposes, but some sectors such as finance and telecommunications impose stricter retention policies. However, there’s always a fine line between compliance and excessive data retention, especially when logs contain personal identifiers. A question that often arises is how companies operating across multiple EU countries handle these differences. Are organizations standardizing retention policies across all jurisdictions, or are they implementing localized approaches? If anyone has insights or experiences on how different national authorities interpret log retention rules, I’d be interested in discussing best practices.

Pretty much the title.

What happens if an Indian I.T company simply refuses to follow GDPR & delete my personal data under GDPR Art 17?

The said Indian I.T firm has offices all across Germany.

My several requests to the IT firm to purge my data has been met with nothing but resistance and disdain.

What is the correct procedure to get my data wiped off from this firm ? Is there a complaint form in English on the German site for redressal against these private entities?

Thank u

Hi

I have never submitted a DSAR so unsure how it would work so wondered if anyone could shed any light on this for me.

I intend to submit a request with my employer and wondered if my colleagues are notified that their chat platforms and email mailboxes are about to be searched. Or is this just done by an IT team privately?

I am concerned that if colleagues receive notification, it may look as if I am requesting something as I am suspicious of them and could ruin our relationships.

Any advice is greatly appreciated. Thank you.

My employer had lost my birth certificate, a 60 year old document I’ve been looking after all my life. How much trouble are they in, legally?

This is the situation: We have a database with two columns: name and diagnosis. The data on that database is considered sensitive. But, what if the database just has the column "diagnosis" and I can't associate it to a person? It would be like just having a random list of diseases.

The problem with giving diagnosis the category of sensitive data on itself relies on "what if I have a table full of diseases and it's associated system code?", like "lung cancer" has the code 123, our classification system would clasify that data as sensitive, even if it's not anyone's data.

What steps are involved in data auditing as per the GDPR?

it's finally black on white with some numbers.

https://noyb.eu/en/data-protection-day-only-13-cases-eu-dpas-result-fine

Data Protection Day: Only 1.3% of cases before EU DPAs result in a fine

National Administrative Procedures and DPA inactivity /  28 January 2025

When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in a new era of data protection in the EU. At least on paper. Consumers were given the tools to stand up for their fundamental rights, while authorities received serious investigatory powers and the ability to sanction breaches with hefty fines. Nearly 7 years later, the reality is much bleaker. On the occasion of this year’s Data Protection Day on 28 January, noyb analysed current EDPB statistics on the (in)activity of national data protection authorities (DPAs). The data shows that, on average, merely 1.3% of cases before DPAs result in a fine. However, data protection professionals say that fines are the most effective way of ensuring companies comply with the law.

EDPB report on DPA activity between 2018 and 2023

Strict GDPR enforcement only on paper. When the General Data Protection Regulation (GDPR) came into force in May 2018, it promised a shift towards a serious approach to data protection. European consumers affected by privacy violations were given the necessary tools to complain to their national data protection authorities (DPAs) – which were equipped with the necessary powers to investigate all kinds of breaches and issue administrative fines to prevent similar offences in the future. Unfortunately, the last 7 years have shown that this has mostly been wishful thinking. This is confirmed by a new noyb analysis of EDPB statistics on the authorities’ activity between 2018 and 2023: On average, merely 1.3% of cases before the DPAs actually result in a fine. This is consistent with our own practical experience: Most cases are dragged out over multiple years, before they’re closed with a settlement or entirely thrown out.

Max Schrems: “European data protection authorities have all the necessary means to adequately sanction GDPR violations and issue fines that would prevent similar violations in the future. Instead, they frequently drag out the negotiations for years – only to decide against the complainant’s interests all too often.”

No real positive example. While some data protection authorities appear to impose far more fines than others, the figures are all in the single-digit percentage range – or even lower. Having imposed fines in 6.84% of all cases (counting both complaints and own-initiative investigations) between 2018 and 2023, the Slovakian DPA is leading the statistics. It is followed by Bulgaria (4.19%), Cyprus (3.12%), Greece (2.65%) and Croatia (2.54%). At the other end of the spectrum, the Dutch authority has issued fines in 0.03% (!) of all cases, closely followed by France (0.10%), Poland (0.18%), Finland (0.21%), Sweden (0.25%) and of course Ireland (0.26%). The remaining countries are somewhere in between.

Click here to see the fully interactive version of the map below.

Click here to see the fully interactive version of the map above.

A phenomenon specific to data protection. This apparent lack of serious consequences for breaches of the law seems to be very specific to data protection. Let’s take Spain as an example: In 2022, the Spanish DPA received 15,128 complaints, but issued only 378 fines. This means that, statistically, only 2.5% of all complaints ended in a fine. This includes obvious breaches such as unanswered access requests or unlawful cookie banners, which could – in theory - be dealt with quickly and in a standardised manner. By way of comparison: 3.7 million speeding tickets were issued in Spain in 2022 (excluding the Basque Country and Catalonia). A similar comparison can be made for basically any other EU Member States.

Max Schrems: “Somehow it's only data protection authorities that can't be motivated to actually enforce the law they're entrusted with. In every other area, breaches of the law regularly result in monetary fines and sanctions. At the moment, DPAs often seem to be acting in the interests of companies rather than the people concerned."

The data shows: more fines = more compliance. While these numbers are hardly surprising, they’re alarming nonetheless. A noyb survey among data protection professionals shows that it is precisely monetary fines that motivate companies to comply with the law. When asked about the most effective enforcement measures, 67.4% of respondents said that DPA decisions against their own company that include a fine will influence decision makers to opt for more compliance. Interestingly, 61.5% of respondents said that even DPA fines against other organisations would influence their own company’s GDPR compliance.

Click here to see the fully interactive graph below.

Click here to see the fully interactive graph above.

Imposed fines are a joke. Taking a closer look at the amount of fines the national authorities impose every year, makes the issue even clearer. Ireland (€475,902,000 average fine amount/year) and Luxemburg (€124,395,729 average fine amount/year) are leading the statistics between 2018 and 2023 by far. At first glance, that might sounds like a lot of money. But it really isn’t. Almost all major tech companies like Apple, Google, Meta and Microsoft are located in Ireland, making the Irish DPC the lead authority for some of the biggest cases ever. Luxembourg, on the other hand, is responsible for companies like Amazon. In reality, the DPC has to be forced to its own good fortune. noyb’s two biggest cases against Meta had to take a detour to the EDPB before the DPC finally fined the company a total of almost €1.6 billion. If you take away this sum, there’s not much left.

More budget, more decisions? Some authorities repeatedly argue that they would only need more budget and resources to make more timely – and high-impact - decisions. Looking at the EDPB statistics, the authorities’ budget increased up to 130% between 2020 and 2024. The Dutch authority, for example, recorded a budget increase of 62% within four years – without a significant increase of fines imposed. To put this into perspective: In 2023, the Dutch DPA had a budget of almost €37 million, but only imposed imposed €1.98 million in fines. This is a difference of almost €35 million, which will leave a huge hole in the state budget. However, this shortfall could be offset by strong enforcement. GDPR fines go to the state of the leading authority.

Click here to see the fully interactive graph below.

Click here to see the fully interactive graph above.

Almost 40% of all fines thanks to noyb. This pattern can be seen throughout the EU: Between 2018 and 2023, all EU data protection authorities imposed a combined total of €4.29 billion in fines – of which €1.69 billion resulted from noyb litigation. In other words: Almost 40% of all GDPR fines trace back to noyb. This means that, in reality, there rather seems to be a lack of political willpower to stand up against tech giants than a lack of possibilities to act.Data Protection Day: Only 1.3% of cases before EU DPAs result in a fine

National Administrative Procedures and DPA inactivity

So my company has no CCTV and no cctv policies in place, they have obtained cctv footage from the warehouse/company next door to see what time i arrived at work, the cctv footage clearly shows myself my face is not blurred and i did not ask for the cctv footage. The company who provided the cctv have used it not for its original intentions, i believe both companies have broken gdpr and dpa this is in the UK. Where do i stand? I could report them to ICO but where do i stand with my company.

I stumbled across this business case, and I was wondering how this would play out under the GPDR.

Imaging board game clubs that want to track people coming to their events, maybe even tracking scores and rankings in a competition across events. A digital platform would allow club hosts to manage their club.

Hosts would create an account for themselves on such a digital platform, giving their consent under the GDPR for processing their data.

However, how do you handle registering participants to club events and comply with the GDPR? The obvious option would be for participants to create an account on the platform via their e-mail address, and giving their explicit consent as well. But that's not a 100% catch-all solution here.

Events may be open to casual participants who just join an event casually, like once every month, or a few times a year. These are people who don't want another account on a yet another platform. In practice, someone might just drop-in, ask the host to join, and the latter would add their name to the on-going event in the digital platform. At no point, an e-mail address is asked, or an account is made. It's just their name.

So, a name of person is being collected and stored on their behalf by a third party (the event host), and there is a possibility to identify that person based on their name combined with the event data (venue, date, club,...). So, how would a digital platform have to handle this case in order to comply with the GDPR?

There is a verbal consent given by the person to the club host to write their name, but I feel this is flimsy at best when it comes to presenting evidence that, yes, the platform does have formal consent for collecting / storing the name.

There is a privacy policy that says that people have the right to contact the platform and assert their rights, including removal, but since there is no real user account to which data can be tied, removal may be very hard to accomplish: e.g. removal of a commonly shared name, like John Smith, from all events across the platform.I stumbled across this business case, and I was wondering how this would play out under the GPDR.

Imaging board game clubs that want to track people coming to their events, maybe even tracking scores and rankings in a competition across events. A digital platform would allow club hosts to manage their club.

Hosts would create an account for themselves on such a digital platform, giving their consent under the GDPR for processing their data.

However, how do you handle registering participants to club events and comply with the GDPR? The obvious option would be for participants to create an account on the platform via their e-mail address, and giving their consent as well. But that's not a 100% catch-all solution, on the contrary. Events may be open to casual participants who just join an event once a month, or a few times a year. These are people who don't want another account on a yet another platform.

In practice, someone might just drop-in, ask the host to join, and the latter would add their name to the on-going event, except instead of on a piece of paper, it's stored persistently on a digital platform. To be exact:

• At no point, an e-mail address is asked, or any other data stored. The only data point stored is a name.
• The name is stored in a single field.
• The name could be their real name, but it could also be a nickname.
• The name is only used for display purposes (e.g. shown in a ranking, with a score), the name is not tied to an account or functionality.
• The name is collected by a the event host, so a third party,
• There is no verification whatsoever by the platform whether this refers to a real person.

So, how would a digital platform have to handle this case in order to comply with the GDPR?

There is a verbal consent given by the person to the club host to write their name, but I feel this is flimsy at best when it comes to presenting evidence that, yes, the platform does have formal consent for collecting / storing the name.

There is a privacy policy that says that people have the right to contact the platform and assert their rights, including removal, but since there is no real user account to which data can be tied, removal may be very hard to accomplish: e.g. removal of a commonly shared name, like John Smith, from all events across the platform.

Hi everyone,

One of the challenges I’m facing with GDPR compliance is ensuring that all the legal and technical requirements don’t negatively impact the user experience. For example, how do you make consent forms or privacy notices clear and compliant without overwhelming users or making the process frustrating? If you’ve found a good balance between being transparent, meeting GDPR standards, and keeping things user-friendly, I’d love to hear your strategies or examples of what’s worked for you.

Thanks so much for sharing your insights!

Hi everyone,

One of the challenges I’m facing with GDPR compliance is ensuring that all the legal and technical requirements don’t negatively impact the user experience. For example, how do you make consent forms or privacy notices clear and compliant without overwhelming users or making the process frustrating? If you’ve found a good balance between being transparent, meeting GDPR standards, and keeping things user-friendly, I’d love to hear your strategies or examples of what’s worked for you.

Thanks so much for sharing your insights!

Hi Reddit, I'm coming to you to ask for advice.

I run a personal to-do and habit-tracking app available in Apple/Google/Microsoft stores. You all know these apps and may even have some installed on your phones/laptops. You create an account using your email address, and the app keeps your to-dos, notes, and such. Think Todoist, TickTick, Evernote, etc. The only personal information the app knows about its users is their email address.

A user asked their employer to pay for their premium account. That company now wants me to sign a Data Processing Agreement with them, as their company policies probably require that, and I don't know how to handle that.

What are my options here? Can I refuse, and if so, on what basis? If I cannot and should proceed, are there alternative ways to handle this (for example, updating ToS in some way to somehow already include/be more GDPR compliant)?

Thank you all very much for your insights.

So yesterday I started receiving messages from Barclays regarding someone else’s bank account, first message I received stated that a specific account is over its limit, and today I received another message stating that a payment to a specific person failed due to insufficient funds.

Whilst I’m not receiving full account details I am receiving information about the destination of payments etc, would this be considered a breach?

After speaking to Barclays this morning and ascertaining that it’s not a fraudulent message and likely just a mistaken number on a new account they have said they are unable to track down the offending account using my phone number as a search parameter, ideally I don’t want to be receiving these messages, and I really don’t want to change my number as I’ve had it for 10-15 years now.

Can anyone provide a checklist for conducting Data Auditing and Gap Analysis for a car insurance company under the GDPR?

Why must we still click accept all cookies in 2025, when a browser-setting could have been implemented by now that would allow an all-sites default?

It's and END-LESS stream of clicking YES YES YES, and utterly pointless and waste of time.

I just need ONE single setting in the Chrome-browser that tells ALL web-sites that YES, I ACCEPT YOUR COOKIES!

So far zero add-ons for Chrome has allowed me to avoid these pop-ups and just accept all cookies automatically.

Does anybody know an actual solution that works in Chrome for Windows desktop?

(GDPR fan-bois need not respond to this post, because I'm not anti-GDPR, I just want an AUTOMATIC solution to this click-click-click-click-click-click night-mare that EU invented)

The fact there are actually people in the EU who thought this was a smart invention... impossible to comprehend.

Hi,

I have recently found out that by doing a Subject Access Request that both false and misleading information has been added to HR file.

I have contacted the team who are incharge of this area within the business and have informed them of this.

They replied saying they are not willing to change any of the information that I have said is incorrect and that it is the opinion of the company.

Does this not contravene Article 16?

The Standard Data Protection Clauses (https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf) mention "Sections" a lot. The sections don't line up with the Data Protection Act 2018, though (eg this says a hierarchy is described in some Section 10, but there's no hierarchy in section 10 of the DPA2018. And GDPR sections don't go that high and mostly uses "Articles") Can anyone tell me just the document or thing that the Sections this is talking about are in?

Not asking legal advice just what document is this talking about so I can refer to it while reading it?

So as I understand it, when you click "Reject All" that doesn't object to legitimate interest. However, if I choose "essential cookies only" or "necessary cookies only", does that include or exclude legitimate interest?

EDIT: Also, are the UK laws the same for this?

Hey everyone,

I’m currently navigating GDPR compliance and while I’ve covered the basics, I’m wondering if there are any aspects that people often miss or underestimate. Everyone talks about data protection and consent, but are there any smaller, less obvious things I should be aware of to ensure full compliance?

I’d love to hear about any “hidden” challenges you faced or things you didn’t realize were so important until later in the process.

Thanks in advance for any tips or advice!

I am a non-EU national. I completed my LL.M. from a reputed university from the Netherlands covering the GDPR/Privacy domain extensively. Just after completing my LL.M., I came back to my country primarily because of the covid situation. Currently, I have 3 years of relevant work experience in the field of data privacy in a non-EU(or say 3rd world) country that includes working for an EU based organisation. Also, I am a CIPP/E certified professional.

Considering the factors, are there still possibilities to find a suitable job taking into account the economic situation as well? I got interview calls from 2 different organisations in EU (reached the final round both the times but didn't succeed) in the past 6-8 months. Other than that, I hardly got any interview opportunities despite the decent number of openings.

I want to utilise the educational background and overall skills/knowledge I gained over the past couple of years. A suitable opportunity in EU will definitely enhance my career in terms of future growth (growth is limited in my country in the same field, as of today).

Wording this more generally: Would a US e-newsletter be required to do anything special if an EU person subscribed of their own volition?

Please share, what you can, about any reportable data breach you had at your company.

Was there resistance against reporting it? What happened after the report was made?

Looking for the collective wisdom of the sub to verify my thinking.

I’m reviewing a privacy notice which , under the subject access section says ‘legal costs may be sought in the event of a request made’.

I want to make sure I haven’t misunderstood this. But under the Data Protection Act 2018 (UK) the controller has no lawful basis to charge or seek recovery of legal fees.

Started a dull af IT admin job almost 6 months ago. Per the contract, the first 6 months would be a probationary period. Not a big big deal there.

About 5 months in, I was told the probationary period would be concluded soon and that I would no longer an employee soon. A fair enough arrangement. Time to start submitting resumés elsewhere. A bit embarrassing, as I have nearly 17 years of IT admin experience behind me. It was a bit tedious/underwhelming in any case, so I doubt I would have remained there for very long in any case.

One day prior to my last ‘active’ day with them an announcement (without my consent) was made on the company SharePoint website that after 6 months of probation I would ‘no longer be continuing the journey with them’ and other direct references to the probation. Lots of the usual platitudes alongside that news.

I was never spoken to once about their intention to tell 100+ people about this.

I understand that they must tell the company that the IT dude was soon to be gone, but should otherwise confidential be shared with so many (if it otherwise added nothing to the announcement)?

My date (and reason for leaving the company) was only disclosed (privately) to those who needed to be informed. Open IT support tickets. You get the drift..

A GDPR issue? I don’t want to get aggressive about things as I am still waiting on a reference letter.

I have since removed any explicit references to probation periods, a perk of being the sole IT admin working for them.

I live in Germany if that matters.

Thanks.