Article 12(3) of the GDPR states: "The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request."
The Data Deletion Request Framework supports seven result codes. Code 0 indicates a succesful receipt of the deletion request and the others some kind of failure. While "How deletion request recipients act on them" is explicitly placed out of scope, the standard does not allow request recipients (as (join-)controllers under the GDPR) to communicate to the data subject that their request had been honored, aditional time is required or that the request is (partially) refused in most common usage scenario's in the online advertising ecosystem.
While I appreciate that the standard could be a significant improvement I do think it's relevant to document non-trivial gaps between the standard and (GDPR) compliance requirements.
Article 12(3) of the GDPR states: "The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request."
The Data Deletion Request Framework supports seven result codes. Code 0 indicates a succesful receipt of the deletion request and the others some kind of failure. While "How deletion request recipients act on them" is explicitly placed out of scope, the standard does not allow request recipients (as (join-)controllers under the GDPR) to communicate to the data subject that their request had been honored, aditional time is required or that the request is (partially) refused in most common usage scenario's in the online advertising ecosystem.
While I appreciate that the standard could be a significant improvement I do think it's relevant to document non-trivial gaps between the standard and (GDPR) compliance requirements.