GDPR made Amazon gift me a USB stick
Recently I had to do something quite unusual. Almost 2 years ago (foreshadowing, my beloved) I bought a pair of earbuds as a gift to a friend on Amazon. At the time, my Amazon account was registered with an institutional email address and was mostly used for buying educational equipment. Once my time at the institution started nearing its end, I decided to delete one by one all the accounts I created through that address, including Amazon's.
Wouldn't you know it, after almost 2 years since giving away those earbuds, the friend mentioned that one of the buds suddenly stopped working for no apparent reason. No water damage, no sudden drop on the concrete, no journey through a toddler's digestive tract; thus, a successful warranty claim was still not out of the picture. Still, only a month or so was left until the 2 year warranty ran out, so we had to be (relatively) quick with our request.
Problem: my invoice got deleted together with the Amazon account, and I never printed it or included it in the original packaging, thinking that, if the day ever came, I would still have access to the PDF for download (which would be true if my time at the institution lasted just a bit longer, which I couldn't really plan for).
The clock was ticking and I didn't want to disappoint a friend for a stupid mistake I made. Then I remembered: I live in the EU, and Amazon, even in the case of a GDPR data deletion request, must still keep a bunch of information and documents about my financial transactions for a certain number of years. There was an opening.
So, I contacted the customer support, which redirected me to the department responsible for GDPR requests. The lady at the other end of the email chain replied quickly, asking for some ID to confirm I was the original owner of the account. Just before making sure everything was in order and my request could be finalized, came the single piece of information I didn't want to hear: the invoices and purchase receipts are not included in the data Amazon keeps after an account deletion, so if my plan was to retrieve one for a warranty claim I would not find any.
After this revelation I had to reconsider my position; it seemed like a complete dead end and I didn't really feel comfortable sending my ID and other PII via email. But I thought to myself "This doesn't cost me a dime, and Amazon still has everything sensitive about me, so why the hell not; at least I could see what they actually still have and how they deal with GDPR for a dead account".
After giving the support rep the go-ahead, some days of silence passed, until I was hit with a second bombshell: for security reason, my GDPR data will be sent to me via physical mail in the form of an encrypted USB stick, with the decryption password being sent separately be email, which could take from a couple of days up to a month. Well, this just became interesting and unnerving :)
Two weeks later, the e- and the snail- mails arrived together, and I was welcomed by a nice little package. Inside a 16GB USB disquette and a piece of paper with the instructions on how to decrypt it (nothing fancy, just a password protected .zip).
I followed the instructions and I started browsing the various nested folders, until I arrived to the perplexingly named /Retail.TransactionalInvoicing.2.
It couldn't be...
I opened the folder, and inside: each and every single invoice for every purchase I ever made. A list of PDFs of the exact thing I was told wouldn't have a chance of being there; and, of course, among them, the purchase receipt of the earbuds, ready to be put to good use for the warranty claim.
I don't think there is a moral to this story. Maybe always remember to follow your dreams? Or never trust documentation and investigate how things really work? In any case, I have to give credit to Amazon for thoroughly complying with the GDPR, it really saved my ass.