Adapting the Mechanics of Vulnerability Disclosure to an area where Privacy Rights need to be scrutinized and where transparency becomes paramount.


How to effectively evade the GDPR and the reach of the DPA (CDPWE-0001)

Company : Rocketreach
Status  : DPA does not pursue any further
CDPWE : CDPWE-0001 - Does not designate a Representative in the European Union URL :
Vulnerability Disclosure Policy:

I. Background
RocketReach is selling access to millions of European Data Subjects without recognising it is a Data Controller, without a representative
in the EU (ART.27) and with a questionable legal basis for processing.

II. Impact
Companies around the World can Process and sell Information about European data subjects without that the DPA sanctions them for doing so by simply not designating a EU Representative accourding to Art.27 of the GDPR.

Note: That representative would be held accountable, without it the CNPD (LUX DPA) argues that their is no way for them to proceed.

III. Advisory
If your data is also included in Rocketreach (just search on their website), then file a complain with your local DPA (it's usually very easy and fast) .

V. Timeline

5th of April  2019 - Issued a DSAR to RocketReach
5th of April  2019 - Rocketreach responds by deleteing my data
5th of April  2019 - File a complain via my national DPA (CNPD)
6th of March 2020 - The CNPD agrees with my position but claims to not be able to pursue further. See:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Reply via email to