One of my clients recently received a large data protection request regarding his personal data. Since I do advise my clients to evaluate whether privacy disclosures are really genuine or just used to “cause trouble”, but I am personally already convinced that genuine privacy is also important, I would like to share some of that in this post as well.
Dear Sir or Madam:
I am writing to you in your capacity as data protection officer for your company. I am a customer of yours, and in light of recent events, I am making this request for access to personal data pursuant to Article 15 of the General Data Protection Regulation.
[…]
I am attaching a copy of the documentation required to verify my identity. If you need more information, please contact me at my address above.
I would first like to inform you that I expect a response to my request within one month in accordance with Article 12, otherwise I will forward my request to the appropriate data protection authority with a letter of complaint.#
The following information was then requested:
1. please confirm whether or not my personal data will be processed. If so, please let me know the categories of personal data you have about me in your files and databases.
a. Specifically, please tell me what you know about me in your information systems, whether or not they are in databases, including email, documents on your networks, or voice or other media you may store.
b. Please additionally inform me in which countries my personal data is stored or accessible. If you use cloud services to store or process my data, please indicate the countries where the servers are located where my data is or has been stored (in the last 12 months).
c. Please provide me with a copy of or access to my personal data that you have or are processing.
2. please provide me with a detailed account of the specific uses you have made, are making, or will make of my personal information.
3. please provide a list of all third parties to whom you have (or may have) disclosed my personal information.
a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal information, please provide a list of the third parties to whom you may have disclosed my personal information.
b. Please also identify which jurisdictions you have identified in 1(b) above, those third parties to whom you have disclosed or may have disclosed my personal information, from which those third parties have stored or may access my personal information. Please also provide information about the legal basis for the transfer of my personal information to these jurisdictions. If you have done or are doing so based on appropriate safeguards, please provide a copy.
c. In addition, I would like to know what safeguards have been put in place with respect to these third parties that you have established in connection with the transfer of my personal information.
4. please tell me how long you will retain my personal information, and if retention is based on category of personal information, please indicate how long each category will be retained.
So far, so good. It could be tricky for clients with the following problems, because regularly it will hardly be possible, or only with great effort, to provide the following information.
5. in addition, if you collect personal data about me from a source other than me, please provide me with all information about its origin in accordance with Article 14 of the GDPR.
6. when making automated decisions about me, including profiling, whether or not based on Article 22 of the GDPR, please inform me of the basis for the logic involved in making such automated decisions and the significance and consequences of such processing.
And the other points hopefully hardly apply to anyone. It would probably be better if everything possible was done technically to avoid having to answer questions 7+ in the first place.
7. I would like to know whether or not my personal information has been shared by your company in the past by mistake or due to a security or privacy breach.
a. If yes, please provide me with the following details about each violation:
i. a general description of what happened;
ii. the date and time of the breach (or best estimate);
iii. the date and time the violation was discovered;
iv. the source of the breach (either your own company or a third party to whom you have transferred my personal data);
v. Details of my personal data that have been disclosed;
vi. your company’s assessment of the risk of harm to myself as a result of the breach;
vii. a description of the measures taken or to be taken to prevent further unauthorized access to my personal data;
viii. Contact information so that I may obtain further information and assistance in connection with such breach; and
ix. Information and advice about what I can do to protect myself against any harm, including identity theft and fraud.
[…]
Understandable, but also a good sign for a troll are then these questions:
a. Please tell me if you have backed up my personal information on tape, disk, or other media, where it is stored, and how it is secured, including the measures you have taken to protect my personal information from loss or theft and whether this includes encryption.
b. Please also tell me if you have technology that allows you to know with reasonable certainty whether or not my personal information has been disclosed, including but not limited to the following:
i. Burglar alarms;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioral analysis tools, log analysis tools, or audit tools;
9. With regard to employees and contractors, we draw your attention to the following points:
a. What technologies or business practices do you have in place to ensure that individuals within your organization are monitored to ensure that they do not intentionally or unintentionally disclose personal information outside of your organization, via email, webmail or instant messaging, or otherwise?
b. In the last twelve months, have there been any circumstances in which employees or contractors have been terminated and/or prosecuted for improper access to my personal information, or if you cannot determine this with customers?
c. Please tell me what training and awareness measures you have in place to ensure that employees and contractors access and process my personal data in accordance with the General Data Protection Regulation.
Since this or similar letters are currently circulating on the Internet, you should think carefully about how to deal with such requests. It is currently difficult to say whether data protection authorities in Germany will intervene or issue warnings if such requests, which are probably justified in theory, are simply not answered.
Although there are possibilities and also arguments for refusing to answer at least a large part of the questions, this should certainly be coordinated with the company’s own data protection officer or legal advisor.
