GDPR is a failure

GDPR is one of the things that both EU citizens like to brag about, and companies like to advertise with. But as someone who does make extensive use of it, the entire process is flawed, the laws are ignored, and enforcement is borderline impossible. It’s the data protection equivalent of the cookie popups, which I’d even argue are more effective in their goal.

Whenever a company has my data and uses it for marketing purposes without an easy opt out, or a company has my data and I stop using their services, I generally like to have the data deleted or to withdraw certain consent like for marketing purposes. Sometimes this is easy, but sometimes it requires invoking my GDPR rights as a EU citizen to actually get done.

In the past year I have made around 20 GDPR data deletion/information requests to various companies. Only 2 have complied immediately, further 6 have complied after filing a complaint with the data protection office, the remaining 12 have not complied. Large companies, charities, companies that advertise explicitly with “Made in EU/GDPR Compliant”. From Greenpeace, government funded museums, to open source companies, completely fail at this.

GDPR for marketing only

Let’s look at how one of the bigger companies in 3D Printing world, that often gets mentioned for their privacy and the fact that they’re from EU and GDPR compliant, Prusa 3D, handles a simple request to delete user data:

1. Step one, change the user’s email

2. Step two, say that you deleted the data:

To this day, I still can view and verify that they have in fact not deleted my data. I even added a “GDPR Failed” address to my account after the email, so they’re not even blocking it in some way.

The email says “request from 28 November 2025”, the truth is that I sent a GDPR deletion request in 2024, and this was just a reminder that they still haven’t processed it. This is also after the “GDPR Advisor” saying that requesting data deletion via email isn’t even legally allowed, which is completely wrong.

Regulatory hell

Taking the example from above, you’d think that a company blatantly ignoring a deletion request would be straightforward to report. Company has data, company was asked to delete it, company didn’t. Open and shut.

I reported Prusa to the Czech data protection office back in 2024 (case UOOUX00H3395). As of writing, they have never processed my request. They never replied to my follow-ups, written in both Czech and English. Nothing happened.

The German data protection office was more responsive – they replied after about a month, telling me there’s nothing they can do. Their only option would be to contact their Czech counterparts, and since I already did that, the chain ends there. So despite being a German citizen, my data protection rights depend entirely on the enforcement capacity and willingness of a foreign regulatory body.

This is the reality for any cross-border GDPR complaint. The regulation is EU-wide, but enforcement is national. If the company sits in a country where the data protection office is underfunded, understaffed, or simply doesn’t care, you’re out of luck. Your only remaining option is to hire a lawyer, pay out of pocket, and sue a company in another country for something they should have done after a single email.

Of the 12 companies that still haven’t complied with my requests, the pattern is the same. The data protection office either didn’t respond, didn’t act, or the company simply ignored the office too. The data is still there. The accounts are still active. Nothing changed.

The spam filter loophole

For the 6 companies that did comply after I involved the data protection offices, most gave the same excuse: they never received the request.

A few went further. They claimed their IT systems automatically categorized my GDPR request as spam and deleted it before anyone saw it. And the data protection agencies accepted this.

Here’s the exact legal reasoning I was given when I reported the Naturhistorisches Museum Wien – a government-funded museum, translated:

According to Art. 12 (3) GDPR, the deadline for processing a request to exercise data subject rights only begins upon actual receipt by the controller. An email that is automatically processed by upstream IT security systems (e.g., spam or malware filters) and does not reach the responsible organizational units is legally not considered as received. The GDPR does not establish an obligation to manually review all automatically filtered messages.

Read that again. A company can list an email address as their official GDPR contact in their privacy policy, and if their own spam filter eats your request, it legally never happened. There is no obligation to check. There is no obligation to ensure delivery. The burden is entirely on you to prove they received it.

This isn’t an edge case. This is a systemic loophole that allows any company to quietly discard data protection requests with zero consequences. Set up aggressive spam filtering on your GDPR inbox, and you’ve effectively opted out of the regulation.

And if you do follow up, the clock resets. The 30-day response window from Art. 12 (3) starts from “actual receipt,” which means the company can play this game indefinitely.

Changes are needed

GDPR in its essence is not bad. The rights it grants are reasonable and necessary. But the enforcement infrastructure around it is broken, and without serious changes, it will remain a regulation that only those who already care about privacy comply with.

Cross-border enforcement needs to actually work. If I’m a German citizen and a Czech company violates my rights, there needs to be a mechanism that doesn’t dead-end at “we forwarded it to the Czech office, good luck.” The EU needs to either centralize cross-border complaints or give national offices the authority to enforce against companies in other member states directly.

The spam filter loophole needs to die. Companies should be required to implement a standardized, verifiable request method. A web form, a dedicated portal, something that generates a confirmation and a timestamp. If a company lists only an email address for GDPR requests, they should be liable for delivery failures on their end. You can’t advertise an email as the official channel and then claim your own infrastructure made it unreachable.

There need to be mandatory minimum fines. Not the theoretical 4% of global revenue that only ever hits trillion-dollar companies. A flat minimum, say 5,000€ per violation, no matter how small the company, applied automatically when non-compliance is confirmed. No appeals on the fine itself, only on whether the violation occurred. Right now, the cost of ignoring a GDPR request from an individual is zero. That needs to change.

Data protection offices need funding and accountability. An unanswered complaint is a failed complaint. If a regulatory body can’t process reports in a reasonable timeframe, it’s not regulating anything. There should be public reporting on resolution times and outcomes, so citizens can see whether their data protection office is actually functioning.

Nobody cares, and that’s the problem

The news occasionally reports that some S&P 100 company got fined a few million for a data protection violation, and everyone cheers. That’s the visible part. The invisible part is millions of individuals whose requests get ignored, discarded, or lost in bureaucratic limbo with no recourse.

Nobody checks whether companies actually comply. Nobody audits the small and mid-sized businesses. The enforcement agencies don’t have the resources, and the EU doesn’t seem interested in giving them more.

I’m sure I’m not alone in this. I’m convinced that GDPR rights are being violated at a massive scale, every single day, by companies of every size. But unless there’s a headline-worthy fine to collect from a company with a trillion-dollar valuation, nobody cares.

The regulation exists. The enforcement doesn’t.