Following on my (apparently) popular nightmare subject-access request and letter from a DPA… The GDPR provides for a number of remedies for individuals in regards to their personal data, that will put companies through their paces: rectification; the right to be forgotten and erasure; data portability; and objection to and restrictions on processing. The natural next step when someone has written you an annoying letter to find out what a company knows about a data subject, and how it is handling their personal data, is for the author to start exercising those rights. This gets harder to do in the natural flow of a letter, because of course, the exercise of these rights can arise in so many scenarios. I wanted to highlight individual elements of what data subjects can ask under the GDPR. They may not all come at once, but through the death of a thousand paper cuts, in a series of postcards from hell: 1. Let’s get rectified. Based on the information that you have provided to me in my subject-access request, it appears you have collected a profile on me based on my purchases. The fact that I am buying a lot of toilet paper is no one’s concern but my own; and it is not due to anything other than I have a lot of guests, not as is implied in the profile, that I am having some kind of organic issues. Please rectify this as soon as possible, as I now understand why I am receiving invitations to purchase medication. 2. Transfer this. I note that you have been transferring my personal data, namely my meal choices on flights, to the United States, and you have indicated that the basis on which you are making that transfer is based upon the EU-US PNR Agreement . The inferences being drawn from my being a vegetarian are that I am in a suspect group and am being profiled on that basis, which is why I am routinely pulled aside for “random” searches whenever I visit the United States. I request that you delete all information concerning my meal choices that you have collected on me. 3. Your vendor is infectious. I request you delete my contact information from your customer service vendor in India. I had one interaction to get support for my software a year ago – and now I routinely get calls from India insisting my Windows computer is infected (I own a Macintosh), so your outsourced vendor is not keeping my information confidential. Please confirm that you have followed up with any organization with whom my contact details have been shared with by your vendor. And in future, please restrict processing of my data to my software subscription maintenance. 4. Let my data go. I have been using your free budget management program on the Internet and now that I understand you are storing my financial and purchase data in countries which have a high rate of identity theft, I no longer wish you to have my data. Prior to deleting it, I would like to ask you to provide all my data in a CSV format that I can use to export to a system which stores its data in the European Union. Please use the attached schema which will support the import into the new system I wish to use. 5. Taking a gamble you have it right. I have been receiving direct mail from you both by the post and in my e-mail. I am in risk management and I attend conferences on privacy and risk management. I assume that is how you got my contact information, but I do not understand how this got linked to gambling. I don’t find gambling interesting and I don’t know why you would assume that I would want your magazine on gambling, or your e-mails to let me know about gambling events, and the connection with gambling is embarrassing and potentially damaging to my career. Stop sending me anything more and remove my name and address from your lists in relation to gambling. ( Yes, the last one happened to me ).
By Constantine Karbaliotis and Paul Breitbarth ( with thanks to Paul for introducing an experienced DPA perspective…Paul thinks I am too judgmental… ) So let’s imagine how the letter from hell has been answered in a typical organization. All these annoying questions have been asked, and they may have to be answered. The scope of the answers will depend on the context of what the subject is legitimately making a complaint or inquiry about. If you are not prepared and do not have an adequate picture of your data processing activities and privacy management processes, then answering any subject-access request will be time consuming. You won’t even know who knows the answers to some of these questions, and in your exploration of your companies’ subterranean caverns of data processing, you come up against the deadline. So naturally, you have written back initially in the one-month period following the subject-access request, to advise that you will require a further two months (Article 12(3) GDPR). And despite your best efforts and intentions to get answers from your IT department, your HR department, marketing and everyone else who presumably should know how this individual’s information is being processed, you find yourself coming up against the extended deadline again. And you slip over it. Not by much, but you are late. And your answers are, admittedly, a bit vague and perhaps not that persuasive. The data subject does what data subjects will do – they complain to their national or local DPA. And you get another letter… The DPA Inquires… Dear Sir, Madam, On , the DPA has received a complaint from , following a data subject access request filed with your company on . has asserted that the processing of his/her data by your organisation, is infringing his/her fundamental right to data protection as laid down in the General Data Protection Regulation (Regulation (EU) 2016/679). Based on the claims in the complaint, the copies of the correspondence between and , the DPO of your organisation, and in accordance with Articles 57(1)f and 77 of said Regulation, I have decided to open an investigation into the data processing operations of your organisation, and the way you provide access to data subjects’ information processed in your files and systems. I trust that your organisation will cooperate fully with this investigation. I do however stress that, if required, I can order your cooperation under Article 58(1) GDPR. I request that you provide an answer to the following questions within four weeks of today. Please be so kind as to answer the questions extensively, providing all information, as well as supporting documentation, that you consider relevant for this investigation. 1. has asked you to provide a digital copy of all information processed by your organisation about him/her. On , you have indeed provided a pdf file, containing the name, address and contact details stored in your systems about . Any further information, including for example the contact has had with your customer service team, seems to be lacking. Also information about ’s financial relations with your organisation has not been provided. I therefore request that you provide a full copy of all information your organisation processes about . 2. has indicated that the pdf file with his/her information you provided, also contained information related to his/her social media accounts, even though that information has never been provided to you by . In line with Article 15(1)g GDPR, please provide information about the provenance of this data. 3. In addition, you have not indicated what information you have concerning the profile you have developed of based upon usage of your website and in response to the input provided by in response to the surveys and other mechanisms you have provided to give your organisation feedback. In particular, notes that a third-party organisation processing information on your behalf, places a cookie on users’ computers. This appears to be used to track users’ activities not only on your website, but as users leave and go to other websites, their activities on those websites. Please elaborate. 4. In your correspondence with , you have indicated you process personal data for marketing purposes, without further specification how this information is processed and with which third parties this data is shared. Please elaborate. 5. also requested that you identify what countries his/her personal data was stored in or accessible from. You indicated that his/her data was stored in a data centre in the United States. However, has pointed out that in calling for support in relation to your that s/he was put in touch with customer support representatives in India. Your response therefore is complained of as being inaccurate. 6. specifically requested information concerning use of cloud services to store or process personal data, and your response was that you are not storing his/her personal data in cloud services. Notwithstanding this it is noted that your organization made a public announcement concerning the use of ’s cloud services to augment your processing. Additionally, identified that on at least one occasion s/he was required to exchange files containing personal data with your organisation’s support representatives via . 7. You have provided a list of third-parties with whom you share personal data of , which includes a payment processor as well as a company providing web analytics as noted above. However, your website proudly announced in 2016 a partnership with another third-party to provide related services to assist users with the use of , and has in fact received e-mail marketing communications from that partner. You have not listed what information is shared with that partner, nor have you indicated this as a use of the information of in response to the query relating to specific uses of information. You have also not indicated what jurisdiction this partner has stored or has access to ’s personal information. Please elaborate on the relation between your company and this partner, as well as the data shared between the two companies. 8. Both in relation to this undisclosed partner as well as your identified third-party processors, you have not indicated if the data is transferred outside of the European Union, and if so, what the legal grounds for transfer of personal data are on which you rely, or your safeguards in relation to the protection of personal data. 9. In response to the question of relating to the retention of personal data, I can only ascertain you have repeated the text of the law, stating personal data is retained “no longer than necessary”. Please provide for each data category and processing purpose the specific retention periods your organisation has decided upon. 10. You have indicated that there had been no breaches of personal data involving as a result of a security or privacy breach. However, has pointed out and I note, that you have notified regulators, namely in the United States of America, that your company experienced a breach on involving individuals in . This breach arose from a rogue employee accessing and selling personal information from your data centre in the United States, which is where you indicated that data of EU residents is also stored and processed. This information suggests that the EU residents data has also been accessed, or may have been, and I require further details as initially set out in ’s letter: a. Details of each and any such breach at a data centre in the US contained EU residents’ personal data: b. a general description of what occurred; c. the date and time of the breach (or the best possible estimate); d. the date and time the breach was discovered; e. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data); f. details of the personal data that was disclosed; g. your company’s assessment of the risk of harm to data subjects, as a result of the breach; h. a description of the measures taken or that will be taken to prevent further unauthorised access to personal data; i. what information and advice you provided to affected individuals in the European Union against any harms, including identity theft and fraud. 11. In addition, if it is indeed possible that personal data of EU citizens was or may have been compromised during the breach, I ask you to explain why you have decided not to notify any of the EU data protection authorities until now, as required by Article 33(1) GDPR. 12. Further to the question above, please identify what what mitigating steps you have taken to protect the data of as an EU resident, either prior to or in response to the breach noted above, including a. Encryption of personal data; b. Data minimisation strategies; or, c. Anonymisation or pseudonymisation; or, d. Any other means. 13. In light of the information concerning the above-noted breach, the questions of which you declined to answer as irrelevant, I find are germane and should be addressed. This included: a. Information concerning information policies and standards b. Backup, archival and storage mechanisms. c. As required by , details as to your: i. Intrusion detection systems; ii. Firewall technologies; iii. Access and identity management technologies; iv. Database audit and/or security tools; or, v. Behavioural analysis tools, log analysis tools, or audit tools; 14. In light of the basis for the above-noted breach, please provide documentation as to training and awareness delivered to employees and contractors. 15. What data loss prevention measures do you utilise to prevent the type of harm that led to this breach? Upon receipt of your answers, I will analyse the information received before deciding on next steps in the investigation, including on whether or not an in situ inspection is needed. If I decide to draw up a report of findings, you will have a chance to respond to the draft report before it is published. This includes the opportunity to identify any business confidential information that should not be made public. You may also include in your response to this letter an indication of any information that should be treated as business confidential. I underline that business confidentiality as such is not a reason to withhold information from this investigation. A copy of this letter will be sent to . Sincerely yours, By order, U.R. Late Inspector – DPA
