Nightmare SAR template letters
Too much time on their hands?
So a company has far too much time on their hands. So much so that they are writing to you asking for money or generally harassing you. Why not ask them some questions using GDPR? Here is a picture of one companies response to Letter 1:
What is GDPR?
GDPR is the General Data Protection Regulation 2018. It is an EU law that company's have to abide by. If they don't they can be reported to the Information Commissioners Office who can impose hefty fines. It is an extremely complex set of legislation adopted into UK Statute in the form of the Data Protection Act 2018. When you write to the company and ask them to provide information about the way they are handling data, they have 30 days to respond. If it is a more complex request, they can write to you to advise you that they need more time. They can get up to 90 days to respond.
You can stop them asking for proof of ID by sending a copy of a recent bill and a copy of a photo ID with the application.
Letter 1
[Your name]
[Your address]
[Your postcode]
[Date]
Data Protection Officer
[ Company Address ]
[Company Postcode]
Dear Sir or Madam,
I am writing to formally make a 'Subject Access Request' for a copy of information that you hold about me which I am entitled under the General Data Protection Regulation 2018.
You can identify my records using the following information:
Full name: [put your name here]
Address: [put your address here]
Please supply me the data about me that I am entitled to under the data protection law including:
confirmation that you are processing my personal data;
a copy of my personal data;
the purposes of your processing;
the categories of personal data concerned;
the recipients or categories of recipient you disclose my personal data to;
your retention period for storing my personal data or, where this is not possible, your criteria for determining how long you will store it;
Confirmation of the existence of my right to request rectification, erasure or restriction or to object to such processing;
confirmation of my right to lodge a complaint with the ICO or another supervisory authority;
information about the source of the data, where it was not obtained directly from me;
the existence of any automated decision-making (including profiling); and
the safeguards you provide if you transfer my personal data to a third country or international organisation.
please provide the mapping management process involved in the data usage;
include the regulatory compliance process used to ensure sufficient governance is in place ;
include the the same for any third parties you provide access to my data;
include what your legal reason for holding such data, and any data you do not have a legal reason to hold, please delete and provide necessary regulatory requirements to evidence the deletion of said data.
I look forward to receiving your response to this request for data within one calendar month, per the General Data Protection Regulation. If you do not normally deal with these requests, please pass this letter to your Data Protection Officer, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.
Yours Sincerely,
The company has responded and provided the information you have requested, but you would like some clarity on the information they have provided, time for letter 2:
Letter 2
[Your name]
[Your address]
[Your postcode]
[Date]
Data Protection Officer
[ Company Address ]
[Company Postcode]
Dear Sir or Madam,
I am writing to formally make a 'Subject Access Request' for a copy of information that you hold about me which I am entitled under the General Data Protection Regulation 2018.
You can identify my records using the following information:
Full name: [put your name here]
Address: [put your address here]
In light of recent events, I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to:
Thank you for your response to my earlier letter in which you clarified that you are storing information about me and processing such information. Please supply the following information:-
1. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
2. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
3. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
a. If so, please advise as to the following details of each and any such breach:
i. a general description of what occurred;
ii. the date and time of the breach (or the best possible estimate);
iii. the date and time the breach was discovered;
iv. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);
v. details of my personal data that was disclosed;
vi. your company’s assessment of the risk of harm to myself, as a result of the breach;
vii. a description of the measures taken or that will be taken to prevent further unauthorized access to my personal data;
viii. contact information so that I can obtain more information and assistance in relation to such a breach, and
ix. information and advice on what I can do to protect myself against any harms, including identity theft and fraud.
b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as
i. Encryption of my personal data;
ii. Data minimization strategies; or,
iii. Anonymization or pseudonymization;
iv. Any other means
I look forward to receiving your response to this request for data within one calendar month, per the General Data Protection Regulation. If you do not normally deal with these requests, please pass this letter to your Data Protection Officer, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.
Yours Sincerely,
Letter 3
[Your name]
[Your address]
[Your postcode]
[Date]
Data Protection Officer
[ Company Address ]
[Company Postcode]
Dear Sir or Madam,
I am writing to formally make a 'Subject Access Request' for a copy of information that you hold about me which I am entitled under the General Data Protection Regulation 2018.
You can identify my records using the following information:
Full name: [put your name here]
Address: [put your address here]
In light of recent events, I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to:
https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
Thank you for your response to my earlier letter in which you clarified that you are storing information about me and processing such information. Please supply the following information:-
1. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security, and more particularly, your practices in relation to the following:
a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal data has been disclosed, including but not limited to the following:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioural analysis tools, log analysis tools, or audit tools;
2. In regards to employees and contractors, please advise as to the following:
a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
b. Have you had had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months.
c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
I look forward to receiving your response to this request for data within one calendar month, per the General Data Protection Regulation. If you do not normally deal with these requests, please pass this letter to your Data Protection Officer, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113
Yours Sincerely,
Letter 4
The Final Letter to tell them STOP processing your DATA
Artice 17 GDPR Notice
NOTICE ISSUED PURSUANT TO ARTICLE 17 of the GDPR
[Your name]
[Your address]
[Your postcode]
[Date]
Data Protection Officer
[ Company Address ]
[Company Postcode]
I write pursuant to my rights granted by Article 17 of the General Data Protection Regulations.
You can identify my records using the following information:
Full name: [put your name here]
Address: [put your address here]
I hereby give you Notice that you must, within the time periods prescribed below, permanently cease processing all personal data of which I am the data subject. If you do not normally handle Data Protection Notices for your organisation, please pass this Notice to your Data Protection officer or another appropriate official.
THE MEANING OF THIS NOTICE
For the avoidance of doubt this Notice requires you to do all of the following:
(1) Within 3 days of receipt of this letter to cease or not to begin to:
(a) Obtain;
(b) Record; or
(c) Hold, any personal data of which I am the data subject (“my personal data”); and
(2) With immediate effect to cease or not to begin to carry out any operation or a series of operations involving my personal data including operations that would amount to the:
(a) Organisation, adaption or alteration;
(b) Retrieval, consultation or use;
(c) Disclosure by transmission, dissemination or otherwise making available; or
(d) Alignment or combination, of information or data.
GROUNDS FOR NOTICE
My grounds for giving you this Notice are:
(a) The processing of my personal data by you is causing or is likely to cause substantial damage to me and any person residing with me, due to a lack of ability to obtain credit caused by wrongful processing of my data.
(b) The processing of my personal data by you is illegal as you do not have my consent.
(c) The processing of my personal data is illegal as we do not have a contract.
(d) The processing of my personal data is illegal as you have no proven legal obligation that applies to your organisation.
(e) The processing of my personal data is illegal as it is not necessary for you to protect my vital interests.
(f) In any case the damage and/or distress is unwarranted.
NO EXEMPTION FROM THE PROVISIONS OF
ARTICLE 17 OF THE GENERAL DATA PROTECTION REGULATIONS
You are not excused compliance with this Notice under the provisions of Article 17 of the General Data Protection Regulations by virtue of the reasons set out below:
(1) I have not given you my consent to process my personal data.
(2) I am not a party to a contract with you.
(3) You have no proven legal obligation with which you must comply and which would permit you to process my personal data.
(4) No processing undertaken by you could be undertaken to protect my vital interests.
WHAT YOU MUST DO NEXT
In any event you must within 21 days of receiving this Notice give me Notice in writing stating:
(1) You have complied with the provisions of this Notice in full; or
(2) You have complied with the provisions of this Notice in part , stating which parts; and
(3) As to the parts not so complied with, your reasons for not doing so, including evidence that you can substantiate.
WARNING: CONSEQUENCES OF FAILURE TO COMPLY WITH THIS NOTICE
Should you fail to comply with the provisions of this Notice, I reserve absolutely the right to obtain, without further reference to you, a county court or High Court order to compel you to comply with this Notice together with an order that you pay my associated legal costs in full and for me to make an application for damages associated with your unlawful processing of my personal data.
Yours sincerely
[Your Name]
THEY IGNORED ME!
Don't forget, if the company does not respond or fails to answer you Subject Access Requests under GDPR correctly, you can report them to the Information Commissioners Office who can hand out some really big fines!
