GDPR Article 17 - Your right to erasure (by Stinc)

in #gdpr3 years ago (edited)


Did you know that if you ever signed up for a Steem account via then they are likely still holding your email address in their database ?

Depending on the exact timing and method of your registration, they could also be holding your phone number or an associated Reddit account. I would speculate that they probably also record associated IP addresses.

The alleged original purpose of collecting this information was to assist with the account recovery process, and to minimize abuse of the signup system.

However, the Steemit Inc that you once signed up with is no more - it's a corrupted shell, Steemit in name only.
The staff have left, the community has left, but the corporate shell and its new owners inherited that big database of user information.

What can we do about Steemit Inc holding on to our private information ?

If you're in the European union you should be covered by the General Data Protection Regulation , and companies like Steemit Inc are obligated under Article 17 of the GDPR to honour your "Right to Erasure".

Individuals can demand that their data be deleted if it's no longer necessary for the purpose it was collected, or there is no ‘compelling’ reason for its continued processing.

According to the Steemit Privacy Policy under the header "Your Rights" the email address to use is [email protected] .


Here's an example of a data removal request :

This template is available in other file formats with more explanation on its original source here.
Modify the end section {{ in curled brackets }} to target the request to your specific data (email, username, phone number etc).

To Whom It May Concern:

I am hereby requesting immediate erasure of personal data concerning me according to Article 17 GDPR.

Please erase all personal data concerning me as defined by Article 4(1) GDPR.

I am of the opinion that the requirements set forth in Article 17(1) GDPR are fulfilled. You cannot claim an expectation based on Article 17(3) GDPR either, particularly as I am not a public figure.

If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR), I am hereby withdrawing said consent for the entire process.
In addition, I am objecting to the processing of personal data concerning me (which includes profiling), according to Article 21 GDPR. I request that you restrict the processing of the data concerning me pending the verification whether your legitimate grounds override mine, pursuant to Art. 18(1)(d) GDPR.

If you have made the aforementioned data public, you are obliged pursuant to Article 17(2) GDPR to take all reasonable steps to inform other controllers, including search engine operators, who process the personal data listed above, that I have requested the erasure of all links, copies or replications. This applies not only to exact copies of the data concerned, but also to those from which information contained in the data concerned can be derived.

In case you have disclosed the affected personal data to third parties, you have to communicate my request for erasure of the affected personal data, as well as any references to it, to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.

If you object to the requested erasure, you have to justify that to me.

My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.

I am including the following information necessary to identify me:

{{ Enter your identification data here - In the case of Steemit you will need to specify what data you'd like removed such as your email address, or data associated with username xyz, phone number 123 etc }}

If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.

Thank you in advance.

Yours sincerely,
{{ Your name }} 

Alternatively I just discovered this request generator from that allows you to customise the request with a simple form.

Why do this ?

I can see a few incentives for people to do this.

  1. Self Interest / Legitimate privacy concerns due to the corrupt nature of the Stinc shell. Nobody wants the inevitable spam and targetted phishing attempts when STINC sells/leaks/gets hacked for your private information.

  2. Spite / Revenge : It's very likely that none of the original staff that handled this database setup, maintenance and removal requests are available anymore. The GDPR specifically states they need to respond within 1 month of your request, and could be punished with fines for non compliance.

Think of the chaos that would ensue if everyone did this at the same time.

Unfortunately I'm Australian - so none of it applies to me :(

I'm unable to find an Aussie equivalent to the GDPR that could help me here (@apshamilton?)..

Despite them censoring all of my posts at the API level, publicly calling me a criminal hacker and then stealing 28k of my Steem they still get to hold onto my personal info just in case they can use it to fuck me again one day.

It bugs me. Save yourself if you have the option, and let me know in the comments :)


Thanks for reminding me about GDPR, email sent!

Very keen to know if you get a response.

No response so far...

Good point.
Australia has the Privacy Act 1988 but no right of removal as far as I'm aware.
Might be coming though.

In the case of Steemit we all know what happened and expect what's coming, at least they don't have a selfie of me holding my ID and copy of my ID, both faces, in their records. What they have is disturbing enough, what others have is more disturbing, what others do with the data they collected is way more disturbing; most of that data they collected without by direct consent, some of it with direct consent.

You must have heard of the murder of the Saudi Khashoggi in his own country's consulate in Istanbul, the Saudis got his full details through a combination of data collecting software using his Twitter account and WhatsApp on his phone. They got that info with the help of the Israelis. They also copied Jeff Bezos data, and other Saudi dissidents abroad.

We should be very careful in the way we provide our information to all these online platforms. A wallet called Uphold linked to the supposed to be more secure and privacy protection web browser Brave asks for your selfie holding your ID and you should trust them. They blocked me when I asked for the same info from their board of directors, I'm supposed to trust them but they don't trust me!

Name a tech company that collected your data that didn't have a major leak exposing your data, the worse part they leaked your data to unknown hackers and not only to security agencies.

Steemit has my email address, my pen name and a roaming mobile number I have, that's it. Not that I was foreseeing a change in the company's ownership that the data they have on me is mine but at the same time is not that easily traceable, unless they tie up with a western spy agency, it's just because of what I learned from hacks and leaks the likes of yahoo half a billion account details which until today I'm sent ransom demands showing me they have one of my very old passwords I used the, or that of Academia, and the multiple Facebook breaches, and the fact that Twitter employees sold the Saudis data which was obvious to follow Yue acquisition of a considerable number of Twitter shares by a Saudi prince at the time, and others.

If I remember correctly, if your data was stored in a European country then you still have the same rights. It is irrelevant where you are based. I stand to be corrected though but from memory the above is true,.

I seriously doubt that any self centered totalitarian little psycho like JS would ever honour any law of any country/state/nation.

People like that just don't care about anything or anyone.

So although there may be laws regulating what is and isn't allowed as far as personal data goes, those laws are only worth as much as the people who should be abiding by them.

As far as I am aware, there has been quite a lot of companies punished for not complying. I don't know the exact rates, but at least the company I work for (data management) and all of the client companies (B2B stuff) take it very, very seriously.

The fines are in the thousands of USD per day. It'd be enough to get Justin's attention...

Yep - that is what I understand.

those laws are only worth as much as the people who should be abiding by them

Or enforcing them. 😉

Really all you have to do is submit your request. If you do not hear anything back within the 30 day period then report them to your local DPC. They will take it from there. Here in Ireland our DPC is an animal, I'd love to set her on JS!

I suggest making the demand anyway. Either they spend time and money refusing the request, including ascertaining your jurisdictional residence and consulting legal counsel regarding the GDPR's applicability to you, they comply with your request, or risk legal action to satisfy the tort of retaining your information.


La verdad amigo, que al ser grandes conglomerados se hacen muy fuerte, y gracias por recordarme lo del RGPD.

Thanks, I forgot all about it... not as easy as powering down.


I am also registered on Steemit and did not know about this thing. It is true that now we sign up on many platforms (social, exchange, airdrop, etc) but the danger of providing personal data to people we do not know is often underestimated. Even if these platforms are legit, there is always the risk of hacking attacks with our data then sold on the Deep Web (TOR).

Thanks, need to get my house in order, commenting to save this first.

Wow, that's unbelievable. Steemit has turned to a new house of fraudulent grab. Too bad 😩😩

Great one Ausbitbank!

I think it is in the best interest of everyone who signed up on Steemit to erase their data ASAP. I will forward mine soon.

Meanwhile, you had to do the job of an Attorney 😊👌

Some people still use the same keys on hive as they used on steem

Good thing both sets of keys are theoretically only known by the owner of the associated account. Steemit Inc. probably doesn't have a secret database with private keys in it. Too much of a liability.

Still, I would make sense to change them for hive and store your private keys off-line

Yes, I eventually want to create some basic software that would allow anyone to use a Raspberry Pi to generate Graphene keys offline. You'd then broadcast them to the blockchain using a camera phone and QR code, which would make your keys pretty much unhackable via the Internet through the airgap.

Never heard about that, I like my ledger key.

Good suggestion. However, the question is (in the EU I think) if they (Steemit) will commit to sticking to it. It is true, as Article 17 of the GDPR says, that you have the right to erasure and that they are obliged to do so, but they are not part of the acquis in the EU so they can ignore it without any problems. Maybe it would be better to get started and ask Google for the right to delete in search results on Steemit? I do not know...

very informative post. that's prettty cool to know. thank you a lot for this

Thanks for informing us, I will have to send a letter too!

I’ve changed my keys from Steemit To Hive, and in 3 weeks my backup account on Hive will be my recovery account rather than the Steemit account. I am American and I don’t know if we have any regulations or laws to remove my data.

That sounds good. I'll look into it.
On a related note, a friend if mine is currently going nuts over her Hive account possibly being hacked. She was on Steemit before. She can still access her Steemit account, but she can't log in on hive. The hive blocks page shows what seems to be changes in her keys, which obviously she did not make. What can she do?

If her keys have changed recently and it's not her she should contact her account recovery partner, and make sure she has her old copies of her keys. It may not be too late to recover the account (assuming her account recovery partner isn't steemit).

Thanks for responding. I'm afraid it is steemit. Where can she see/double-check that information?

Check , and look for recovery account in the left column

Ok, I see. what's the procedure to change that recovery account partner?. I understand she would not be able to do it anyway

This is an old post but the steempeak instructions work on now image.png

Thank you very much. Have a good day

Congratulations @ausbitbank! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

Your post got the highest payout of the day

You can view your badges on your board And compare to others on the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Do not miss the last post from @hivebuzz:

Hive Power Up Day - Let's grow together!

Thank you. Will send mail ASAP.

This might be useful in times ahead, especially due to the financial nature of the modern internet...

Btw how can we be sure that the company erased our data from their system? Can they manipulate the process?

Oh my!!! Terrible!!! Long time that I did not see your post. What makes you busy @ausbitbank? (^_^)

Excellent advise, and GDPR fines in Europe are massive - they can run into the millions.

20 million or 4% of turnover, not profit. Which ever is the greater. But it really depends on your DPC.

Thank you for your valuable information. But unfortunately GDPR doesn’t apply in my country. However, i shall check our laws how to remove this data.

Although I like the idea Would you really trust Steemit Inc to do this even if they said yes?

Sent the email, I hope they don't answer and that we get the money on top of erasing the data.

🎁 Hi @ausbitbank! You have received 0.1 HIVE tip from @dswigle!

Check out @dswigle blog here and follow if you like the content :)

Sending tips with @tipU - how to guide.

Congratulations @ausbitbank! You received a personal badge!

You powered-up at least 10 HIVE on Hive Power Up Day!
Wait until the end of Power Up Day to find out the size of your Power-Bee.
May the Hive Power be with you!

You can view your badges on your board and compare yourself to others in the Ranking

Do not miss the last post from @hivebuzz:

Hive Power Up Day - The countdown is ticking
Hive Power Up Day - Let's grow together!

Congratulations @ausbitbank! You received a personal badge!

You powered-up at least 10 HIVE on Hive Power Up Day! This entitles you to a level 1 badge.
Participate in the next Power Up Day and try to power-up more HIVE to get a bigger Power-Bee.
May the Hive Power be with you!

You can view your badges on your board and compare yourself to others in the Ranking

Do not miss the last post from @hivebuzz:

Hive Power Up Day - The countdown is ticking
Hive Power Up Day - Let's grow together!


Hey bro, your a witness. I'm trying to post this post> But things are not happening like they are supposed too.

Image source

You heard of The Great reset? Let's turn this into the greatest fuck up.

Make no mistake people, 2020 was an attack on the people, all people. World War 3 started with the destruction of the Middle East and then became a planned attack on all people in 2020.

These same people spreading the disinformation, even through their-own networks are the main contributors to pollution which mislabeled this as saving the planet.

We are all being deceived. A video symbolic to defense and the return of humanity. Back from the brink of destruction. > 😉

P.s. To our human brothers and sister connected to them a but also being deceived by "them". We need more leaks!!! 🤠

I just posted this post a few mins ago, not visible on Peakd or but visible here, any known bugs or?

 3 years ago  Reveal Comment