Why do you need my email address during the registration process?
We need your email address as the identifier which we provide to companies you request us to contact on your behalf, so they can locate your associated personal data in their systems.
Can anyone use my email address to request information from companies?
No. We use a secure two-step email authentication process to verify that you indeed have access to the email account you provide us with.
How are you authorized to request information and changes on my behalf?
During the two-step email authentication process, we ask you to explicitly authorize us to request information and changes from companies based on your instructions. We do not issue any requests without you actively selecting the respective companies, and choosing to take action.
Some companies say One.Thing.Less is not legally authorized. Is that true?
This is not true. The Swiss Federal Data Protection and Information Commissioner has publicly stated that the authorization of One.Thing.Less obtained from its users to act on their behalf is legally valid and binding. In particular, he emphasized that no written authorization is required and that the authorization is validly given by electronic communication. It is limited to requesting information on the processing of your personal data from companies you actively select, and requesting changes thereto as per your instructions. So it’s not just a sign of respect towards you if a company responds to you, it’s also their legal obligation under applicable data protection laws such as GDPR.
Some companies say they can not verify if the request is legitimate.
This is incorrect. One.Thing.Less has provided all companies listed in our app with an initial service announcement detailing how our service works and has offered to provide more information upon request, so that companies have the possibility to verify that every single request is legitimate.
Some companies want to verify my legal identity and ask for a copy of my personal ID. Do I have to provide this?
This is not required in the context of a request issued via the One.Thing.Less platform. Why? Because we limit every request to the personal data linked to the email address we first verify in an audited procedure, and we ask only about how this personal data is used, not for the personal data itself. Our email-based approach also protects your privacy, as companies do not need to ask for more personal data (such as your full name, address, birthday or even passport copy).
Companies have an obligation to protect your personal data from unauthorized access by third parties, which is why One.Thing.Less focuses its questions on the use of personal data. Like this, companies providing answers to you via our platform are of course not at all committing any data breach.
Consequently, companies requesting copies of government-issued photo IDs for verification purposes are acting against the guidelines issued by the Working Party 29 of the European Union, which state that if the legal identity has not been validated before, "such verification may not be relevant to assess the link between the data and the individual concerned, since such a link is not related with the official or legal identity. In essence, the ability for the data controller to request additional information to assess one’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.”
If a company has not verified a government-issued photo ID from you when it obtained your personal data (e.g. when registering for an online account, subscribing for a newsletter, signing up for a loyalty program etc.), then a company has no equivalent basis for comparison, and such a request is neither required nor legitimate. Furthermore, asking you to email copies of government-issued photo IDs in an unsecure way that exposes both you and the company to unnecessary risks of identity theft.
Are companies obliged to respond to requests from me?
If you are an EU resident, then the General Data Protection Regulation (GDPR) entitles you to a response as you are considered a "data subject". Companies which control your personal data are considered "controllers", and Article 12(4) GDPR explicitly states that "if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy."
Under the applicable data protection laws such as the GDPR, you are entitled to the answers to your questions. However, every company decides for itself how it wants to treat its customers and their requests, so it is up to you to decide how such behavior changes your relationship with them, and whether this is a reason to distrust them.
What can I do if a company is not responding to my request or does not answer the questions?
One.Thing.Less is taking appropriate steps to address such behaviour, as most companies do want to provide answers, but have to adapt how they deal with the legally valid requests which have been issued via our platform.
The most powerful and convincing force is your power and voice as an individual. This is why we have introduced a “send reminder” function for our users. If you have not heard yet from a company after a month, you can send them a friendly reminder directly from our app. This also establishes a time-stamped proof that a company has not responded within the deadline set by the General Data Protection Regulation of the European Union.
If a company continues not to respond or refuses to provide you with the answers, then you have the option to contact the responsible Data Protection Authority and lodge a complaint. A list of all EU Data Protection Authorities can be found at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
Changing the level of transparency regarding the use of personal data does not happen overnight, and we are thankful for those users who take an active part of driving this change around the world.
Can you tell me what use of personal data is good or bad?
We at One.Thing.Less do not presume to judge if the use of personal data for a particular purpose is good or bad. We believe in you being able to make this decision based on the responses you receive from companies which you decide to contact. But we also believe that companies which do not respond to your legitimate requests fully and in time better have a very good reason for that.
I am not an EU resident but would like to know how companies are using my personal data. Can I still use the app?
Yes, you absolutely can use our app. However, depending on the applicable data protection regulation for you, you might not be entitled to a response from companies. It is up to the individual company to decide if and how they respond to your request and if they want to treat non-EU residents different from EU residents.
I am curious to know what information companies have on me, but I may not want to opt out. Can I still use the app?
Absolutely. When you launch an ASK request in our app, we only ask for responses regarding if and how a company uses your personal data, nothing more. Only when you choose to ACT do we contact companies on your behalf to inform them about your change request. Nothing happens without your explicit action first.
Nothing in life is free – why am I not paying for your service?
We believe that privacy and your ability to take control over the use of your personal data should be fundamental human rights, so individuals should not be charged for it. To be very transparent — we make money by helping companies to answer customer requests regarding the use of their personal data faster, efficiently, and more secure using our platform, as fulfilling their duties to grant their customers’ individual rights is absolutely essential to avoid distrust by customers, media and data protection authorities. And we believe that you don't want to wait up to 30 days until you hear from them about how they use your personal data. Our Co-Founders have invested their own time and money to build the One.Thing.Less platform and have not accepted any outside investment in order to maintain independence and the freedom to develop our services.
Can companies influence the questions I can ask or changes I can request?
No, One.Thing.Less is absolutely independent and proud of it.