Subject Access Request
How should this be used?
If you want fully understand how a company is processing your information and if it is complying with the new GDPR regulations, this is the letter for you. Most if not all companies will find this difficult to answer correctly and it likely to test their resources.
THE BEST WAY TO SEND THIS TO A COMPANY IS TO SPLIT IT INTO SMALL REQUESTS AND SEND ONE AFTER THE OTHER
You do not have a limit to the number of SAR's you can send a company
The Nightmare Subject Access Request is the worst scenario of questions that could be posed to a Company's Data Processing staff or department. Used as a blanket template might just get you a short shrift response or no response at all. It is unlikely that every element of the request would apply to your circumstances, so choose the sections that are relevant and you would like answering.
If you want to hold the company to account, you should edit the template letter to be specific to your circumstances. If the questions you are posing are in relation to your concerns about how a company is processing data and they refuse to respond, they can get a hefty fine from the Information Commissioners Office. So use this tool wisely.
A full response to a carefully worded Nightmare Subject Access Request could cost the company several thousand of pounds to compile so it is an ideal tool to use against Corporations that like wasting YOUR time.
----------------------------------------------------
THE NIGHTMARE SUBJECT ACCESS REQUEST
Dear Sir/Madam,
Under Article 15 of the General Data Protection Regulation 2018, I would like to submit the following subject access request to better understand how you process my personal information:
In light of recent events, I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to:
https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers
I am including a copy of documentation necessary to verify my identity. If you require further information, please contact me at my address above.
I would like you to be aware at the outset, that I anticipate reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the Information Commissioners Office.
Please advise as to the following:
1. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
a. If so, please advise as to the following details of each and any such breach:
i. a general description of what occurred;
ii. the date and time of the breach (or the best possible estimate);
iii. the date and time the breach was discovered;
iv. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);
v. details of my personal data that was disclosed;
vi. your company’s assessment of the risk of harm to myself, as a result of the breach;
vii. a description of the measures taken or that will be taken to prevent further unauthorized access to my personal data;
viii. contact information so that I can obtain more information and assistance in relation to such a breach, and
ix. information and advice on what I can do to protect myself against any harms, including identity theft and fraud.
b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as
i. Encryption of my personal data;
ii. Data minimization strategies; or,
iii. Anonymization or pseudonymization;
iv. Any other means
8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security, and more particularly, your practices in relation to the following:
a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal data has been disclosed, including but not limited to the following:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioural analysis tools, log analysis tools, or audit tools;
9. In regards to employees and contractors, please advise as to the following:
a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
b. Have you had had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months.
c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
If you do not normally deal with these requests, please pass this letter to your DataProtection Officer, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.
Yours Sincerely,
HOW LONG DO I GIVE THEM?
If they follow the rules they should respond within one-month period to advise that they will require a further two months (Article 12(3) GDPR).
If you have not had a full response in 3 months, then you could file a complaint with the Information Commissioners Office.
---------------------------------------------------------------------------------------------------------------------
IMAGINED LETTER FROM INFORMATION COMMISSIONERS OFFICER
So let’s imagine how the Nightmare SAR has been answered in a typical organization. All these annoying questions have been asked, and they may have to be answered. The scope of the answers will depend on the context of what the subject is legitimately making a complaint or inquiry about.
If you are not prepared and do not have an adequate picture of your data processing activities and privacy management processes, then answering any subject-access request will be time consuming. You won’t even know who knows the answers to some of these questions, and in your exploration of your companies’ subterranean caverns of data processing, you come up against the deadline.
So naturally, you have written back initially in the one-month period following the subject-access request, to advise that you will require a further two months (Article 12(3) GDPR). And despite your best efforts and intentions to get answers from your IT department, your HR department, marketing and everyone else who presumably should know how this individual’s information is being processed, you find yourself coming up against the extended deadline again.
And you slip over it. Not by much, but you are late. And your answers are, admittedly, a bit vague and perhaps not that persuasive. The data subject does what data subjects will do – they complain to the Information Commissioner Officer, And you get another letter…
The Information Commissioners Officer Inquires…
Dear Sir, Madam,
On <date>, the <jurisdiction> DPA has received a complaint from <name>, following a data subject access request filed with your company on <date access request>. <Name> has asserted that the processing of his/her data by your organisation, is infringing his/her fundamental right to data protection as laid down in the General Data Protection Regulation (Regulation (EU) 2016/679).
Based on the claims in the complaint, the copies of the correspondence between <name> and <name DPO>, the DPO of your organisation, and in accordance with Articles 57(1)f and 77 of said Regulation, I have decided to open an investigation into the data processing operations of your organisation, and the way you provide access to data subjects’ information processed in your files and systems. I trust that your organisation will cooperate fully with this investigation. I do however stress that, if required, I can order your cooperation under Article 58(1) GDPR.
I request that you provide an answer to the following questions within four weeks of today. Please be so kind as to answer the questions extensively, providing all information, as well as supporting documentation, that you consider relevant for this investigation.
1. <Name> has asked you to provide a digital copy of all information processed by your organisation about him/her. On <date>, you have indeed provided a pdf file, containing the name, address and contact details stored in your systems about <name>. Any further information, including for example the contact <name> has had with your customer service team, seems to be lacking. Also information about <name>’s financial relations with your organisation has not been provided. I therefore request that you provide a full copy of all information your organisation processes about <name>.
2. <Name> has indicated that the pdf file with his/her information you provided, also contained information related to his/her social media accounts, even though that information has never been provided to you by <name>. In line with Article 15(1)g GDPR, please provide information about the provenance of this data.
3. In addition, you have not indicated what information you have concerning the profile you have developed of <name> based upon usage of your website and in response to the input provided by <name> in response to the surveys and other mechanisms you have provided to give your organisation feedback. In particular, <name> notes that a third-party organisation processing information on your behalf, places a cookie on users’ computers. This appears to be used to track users’ activities not only on your website, but as users leave and go to other websites, their activities on those websites. Please elaborate.
4. In your correspondence with <name>, you have indicated you process personal data for marketing purposes, without further specification how this information is processed and with which third parties this data is shared. Please elaborate.
5. <Name> also requested that you identify what countries his/her personal data was stored in or accessible from. You indicated that his/her data was stored in a data centre in the United States. However, <name> has pointed out that in calling for support in relation to your <service/product> that s/he was put in touch with customer support representatives in India. Your response therefore is complained of as being inaccurate.
6. <name> specifically requested information concerning use of cloud services to store or process personal data, and your response was that you are not storing his/her personal data in cloud services. Notwithstanding this it is noted that your organization made a public announcement concerning the use of <well-known software company>’s cloud services to augment your processing. Additionally, <name> identified that on at least one occasion s/he was required to exchange files containing personal data with your organisation’s support representatives via <popular file sharing service>.
7. You have provided a list of third-parties with whom you share personal data of <name>, which includes a payment processor as well as a company providing web analytics as noted above. However, your website proudly announced in 2016 a partnership with another third-party to provide related services to assist users with the use of <product/service>, and <name> has in fact received e-mail marketing communications from that partner. You have not listed what information is shared with that partner, nor have you indicated this as a use of the information of <name> in response to the query relating to specific uses of information. You have also not indicated what jurisdiction this partner has stored or has access to <name>’s personal information. Please elaborate on the relation between your company and this partner, as well as the data shared between the two companies.
8. Both in relation to this undisclosed partner as well as your identified third-party processors, you have not indicated if the data is transferred outside of the European Union, and if so, what the legal grounds for transfer of personal data are on which you rely, or your safeguards in relation to the protection of personal data.
9. In response to the question of <name> relating to the retention of personal data, I can only ascertain you have repeated the text of the law, stating personal data is retained “no longer than necessary”. Please provide for each data category and processing purpose the specific retention periods your organisation has decided upon.
10. You have indicated that there had been no breaches of personal data involving <name> as a result of a security or privacy breach. However, <name> has pointed out and I note, that you have notified regulators, namely <State Attorney Generals> in the United States of America, that your company experienced a breach on <date> involving <x,000> individuals in <various states>. This breach arose from a rogue employee accessing and selling personal information from your data centre in the United States, which is where you indicated that data of EU residents is also stored and processed. This information suggests that the EU residents data has also been accessed, or may have been, and I require further details as initially set out in <name>’s letter:
a. Details of each and any such breach at a data centre in the US contained EU residents’ personal data:
b. a general description of what occurred;
c. the date and time of the breach (or the best possible estimate);
d. the date and time the breach was discovered;
e. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);
f. details of the personal data that was disclosed;
g. your company’s assessment of the risk of harm to data subjects, as a result of the breach;
h. a description of the measures taken or that will be taken to prevent further unauthorised access to personal data;
i. what information and advice you provided to affected individuals in the European Union against any harms, including identity theft and fraud.
11. In addition, if it is indeed possible that personal data of EU citizens was or may have been compromised during the breach, I ask you to explain why you have decided not to notify any of the EU data protection authorities until now, as required by Article 33(1) GDPR.
12. Further to the question above, please identify what what mitigating steps you have taken to protect the data of <name> as an EU resident, either prior to or in response to the breach noted above, including
a. Encryption of personal data;
b. Data minimisation strategies; or,
c. Anonymisation or pseudonymisation; or,
d. Any other means.
13. In light of the information concerning the above-noted breach, the questions of <name> which you declined to answer as irrelevant, I find are germane and should be addressed. This included:
a. Information concerning information policies and standards
b. Backup, archival and storage mechanisms.
c. As required by <name>, details as to your:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioural analysis tools, log analysis tools, or audit tools;
14. In light of the basis for the above-noted breach, please provide documentation as to training and awareness delivered to employees and contractors.
15. What data loss prevention measures do you utilise to prevent the type of harm that led to this breach?
Upon receipt of your answers, I will analyse the information received before deciding on next steps in the investigation, including on whether or not an in situ inspection is needed. If I decide to draw up a report of findings, you will have a chance to respond to the draft report before it is published. This includes the opportunity to identify any business confidential information that should not be made public. You may also include in your response to this letter an indication of any information that should be treated as business confidential. I underline that business confidentiality as such is not a reason to withhold information from this investigation.
A copy of this letter will be sent to <name DPO>.
Sincerely yours,
By order,
U.R. Late
Inspector - <jurisdiction> DPA
-----------------------------------------------------------------------------------------------------------------------------------
FURTHER INFORMATION ON GDPR
The GDPR provides for a number of remedies for individuals in regards to their personal data, that will put companies through their paces:
- rectification;
- the right to be forgotten and erasure;
- data portability; and
- objection to and restrictions on processing.
The natural next step when someone has written you an annoying letter to find out what a company knows about a data subject, and how it is handling their personal data, is for the author to start exercising those rights.
This gets harder to do in the natural flow of a letter, because of course, the exercise of these rights can arise in so many scenarios. I wanted to highlight individual elements of what data subjects can ask under the GDPR. They may not all come at once, but through the death of a thousand paper cuts, in a series of postcards from hell:
1. Let’s get rectified.
Based on the information that you have provided to me in my subject-access request, it appears you have collected a profile on me based on my purchases. The fact that I am buying a lot of toilet paper is no one’s concern but my own; and it is not due to anything other than I have a lot of guests, not as is implied in the profile, that I am having some kind of organic issues. Please rectify this as soon as possible, as I now understand why I am receiving invitations to purchase medication.
2. Transfer this.
I note that you have been transferring my personal data, namely my meal choices on flights, to the United States, and you have indicated that the basis on which you are making that transfer is based upon the EU-US PNR Agreement. The inferences being drawn from my being a vegetarian are that I am in a suspect group and am being profiled on that basis, which is why I am routinely pulled aside for “random” searches whenever I visit the United States. I request that you delete all information concerning my meal choices that you have collected on me.
3. Your vendor is infectious.
I request you delete my contact information from your customer service vendor in India. I had one interaction to get support for my software a year ago – and now I routinely get calls from India insisting my Windows computer is infected (I own a Macintosh), so your outsourced vendor is not keeping my information confidential. Please confirm that you have followed up with any organization with whom my contact details have been shared with by your vendor. And in future, please restrict processing of my data to my software subscription maintenance.
4. Let my data go.
I have been using your free budget management program on the Internet and now that I understand you are storing my financial and purchase data in countries which have a high rate of identity theft, I no longer wish you to have my data. Prior to deleting it, I would like to ask you to provide all my data in a CSV format that I can use to export to a system which stores its data in the European Union. Please use the attached schema which will support the import into the new system I wish to use.
5. Taking a gamble you have it right.
I have been receiving direct mail from you both by the post and in my e-mail. I am in risk management and I attend conferences on privacy and risk management. I assume that is how you got my contact information, but I do not understand how this got linked to gambling. I don’t find gambling interesting and I don’t know why you would assume that I would want your magazine on gambling, or your e-mails to let me know about gambling events, and the connection with gambling is embarrassing and potentially damaging to my career. Stop sending me anything more and remove my name and address from your lists in relation to gambling.
