That’s how I understand the UK situation too, however what is anonymous is left much for debate & sometimes local best-practices. Like, a user can be identifiable by their posts, or even full name.
If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.
As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).
That’s how I understand the UK situation too, however what is anonymous is left much for debate & sometimes local best-practices. Like, a user can be identifiable by their posts, or even full name.
If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.
As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).