Difference between revisions of "Item talk:Q5103"

From Wikibase Personal data
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{MailtoDuo|mailto:support@alphaexplorationco.com|GDPR request|Dear Clubhouse,
+
__NOTOC__
 +
== What is this? ==
 +
The General Data Protection Regulation gives you rights. The app Clubhouse is actively breaching your rights, and [https://www.linkedin.com/pulse/clubhouse-next-privacy-nightmare-youve-never-heard-alexander-hanff/ encouraging your friends to do so as well]!
 +
 
 +
This page aims to help you find out more information about how this is happening, and who might be helping Clubhouse in doing so. The idea is that the GDPR also gives you some rights to transparency, which the template below will help you exercise to their maximum.
 +
 
 +
If you would like to discuss this further, you are welcome to email [mailto:clubhouse@personaldata.io clubhouse@personaldata.io] or to [https://forum.personaldata.io/t/gdpr-breach-by-clubhouse/458 contribute to the thread in our forum].
 +
 
 +
{{MailtoDual|mailto:support@alphaexplorationco.com|GDPR request to Clubhouse|Dear Clubhouse,
  
 
This is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions.  
 
This is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions.  
Line 5: Line 13:
 
Due to specific growth hacking mechanisms you employ, it similarly concerns some of your users, who might already be in breach of GDPR.  
 
Due to specific growth hacking mechanisms you employ, it similarly concerns some of your users, who might already be in breach of GDPR.  
  
Identification
+
==== Identification ====
==============
+
 
 
It is natural that you will need to identify me and make sure I am who I claim to be. I understand that according to Article 11 GDPR, and particularly Art 11.2, you might thus need additional information. The following information should help you locate my personal data:
 
It is natural that you will need to identify me and make sure I am who I claim to be. I understand that according to Article 11 GDPR, and particularly Art 11.2, you might thus need additional information. The following information should help you locate my personal data:
  
  - e-mail address: << ADD VALUE >>;
+
* e-mail address: << ADD VALUE >>;
  - telephone number: << ADD VALUE >>.
+
* telephone number: << ADD VALUE >>.
  
 
You should be able to verify easily by email address simply by responding to my email.  
 
You should be able to verify easily by email address simply by responding to my email.  
Line 16: Line 24:
 
I would encourage you to verify the telephone number by simply calling me.
 
I would encourage you to verify the telephone number by simply calling me.
  
Copies of my personal data
+
==== Copies of my personal data ====
==========================
 
 
I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request. This request is directly addressed to you, and concerns data you hold directly but also joint controllership data (GDPR Art 26), jointly held with other data controllers. Some of those other controllers would also include some of your users (particularly those who have already breached GDPR and are located in Belgium, in light of the Twoo decision).
 
I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request. This request is directly addressed to you, and concerns data you hold directly but also joint controllership data (GDPR Art 26), jointly held with other data controllers. Some of those other controllers would also include some of your users (particularly those who have already breached GDPR and are located in Belgium, in light of the Twoo decision).
  
Line 23: Line 30:
  
 
Article 20
 
Article 20
----------
+
 
 
For data falling within the right to data portability (GDPR, art 20), which includes all data I have provided *and* which have been indirectly observed about me (Article 29 Working Party, *Guidelines on the Right to Data Portability (WP 242)*, 13 December 2016, 8) and where lawful bases for processing include consent or contract, I wish to have that data:
 
For data falling within the right to data portability (GDPR, art 20), which includes all data I have provided *and* which have been indirectly observed about me (Article 29 Working Party, *Guidelines on the Right to Data Portability (WP 242)*, 13 December 2016, 8) and where lawful bases for processing include consent or contract, I wish to have that data:
  
Line 33: Line 40:
  
 
Article 15
 
Article 15
----------
+
 
 
For all personal data not falling within portability, I would like to request, under the right to access (GDPR, art 15):
 
For all personal data not falling within portability, I would like to request, under the right to access (GDPR, art 15):
 +
 +
-  information provided to you by third parties, **including users**
  
 
-  **a copy sent to me in electronic format**. This includes - but is not limited to - any data derived about me, such as opinions, inferences, settings and preferences. (Note that opinions, inferences and the like are considered personal data. See Case C‑434/16 *Peter Nowak v Data Protection Commissioner* [2017] ECLI:EU:C:2017:994, 34.)  For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design.
 
-  **a copy sent to me in electronic format**. This includes - but is not limited to - any data derived about me, such as opinions, inferences, settings and preferences. (Note that opinions, inferences and the like are considered personal data. See Case C‑434/16 *Peter Nowak v Data Protection Commissioner* [2017] ECLI:EU:C:2017:994, 34.)  For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design.
-  information provided to you by third parties, **including users**
 
  
 
Article 26
 
Article 26
----------
+
 
 
Given the nature of the growth hacking you engage in, I fully expect the referral mechanisms you employ not to fall within the household exemption in the GDPR. This interpretation is confirmed by the recent Twoo decision of the Belgian Data Protection Authority:
 
Given the nature of the growth hacking you engage in, I fully expect the referral mechanisms you employ not to fall within the household exemption in the GDPR. This interpretation is confirmed by the recent Twoo decision of the Belgian Data Protection Authority:
 
https://iapp.org/news/a/tell-a-friend-but-only-with-your-friends-consent/
 
https://iapp.org/news/a/tell-a-friend-but-only-with-your-friends-consent/
Line 47: Line 55:
  
  
Metadata on processing
+
==== Metadata on processing ====
======================
+
 
 
This request also includes the metadata I am entitled to under the GDPR.
 
This request also includes the metadata I am entitled to under the GDPR.
  
 
Information on controllers, processors, source and transfers
 
Information on controllers, processors, source and transfers
------------------------------------------------------------
 
  
 
- The **identity of all joint controllers** of my personal data, as well as the essence of you contracts with them (Article 26).
 
- The **identity of all joint controllers** of my personal data, as well as the essence of you contracts with them (Article 26).
 
  
 
- Any **third parties to whom data has been disclosed**, named with contact details in accordance with Article 15(1)(c). Please note that the European data protection regulators have stated that by default, controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. ( Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018 ) Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis (Article 29 Working Party, ‘Guidelines on Consent under Regulation 2016/679’ (WP259 rev.01, 10 April 2018) 13).
 
- Any **third parties to whom data has been disclosed**, named with contact details in accordance with Article 15(1)(c). Please note that the European data protection regulators have stated that by default, controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. ( Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018 ) Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis (Article 29 Working Party, ‘Guidelines on Consent under Regulation 2016/679’ (WP259 rev.01, 10 April 2018) 13).
Line 64: Line 70:
  
 
Information on purposes and legal basis
 
Information on purposes and legal basis
---------------------------------------
 
  
 
- All **processing purposes and the lawful basis for those purposes by category of personal data**. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 35.
 
- All **processing purposes and the lawful basis for those purposes by category of personal data**. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 35.
Line 71: Line 76:
 
- The **specified legitimate interest** where legitimate interest is relied upon (Article 14(2)(b)).
 
- The **specified legitimate interest** where legitimate interest is relied upon (Article 14(2)(b)).
  
Information on automated decision-making ----------------------------------------
+
Information on automated decision-making  
 +
 
 
- Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h))
 
- Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h))
  
 
Information on storage
 
Information on storage
----------------------
+
 
 
- Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d).
 
- Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d).
  
Submission Form
+
==== Submission Form ====
===============
+
 
**Please note that it is not legal to require data subjects to use an  in-house form**. (see for instance UK Information Commissioner’s Office, ‘Subject Access Code of Practice’ (9 June 2017) p 13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019), stating that 'even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory')
+
Please note that it is not legal to require data subjects to use an  in-house form. (see for instance UK Information Commissioner’s Office, ‘Subject Access Code of Practice’ (9 June 2017) p 13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019), stating that 'even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory')
 +
 
 +
==== Further assistance ====
  
Further assistance
 
==================
 
 
If you do not normally deal with these requests, please pass this email to your Data Protection Officer. If you need advice on dealing with this request, any European Data Protection Authority should be able to provide you with assistance.  
 
If you do not normally deal with these requests, please pass this email to your Data Protection Officer. If you need advice on dealing with this request, any European Data Protection Authority should be able to provide you with assistance.  
 
In accordance with the law, I look forward to hearing from you within one month of receipt.
 
In accordance with the law, I look forward to hearing from you within one month of receipt.

Latest revision as of 13:18, 13 February 2021

What is this?

The General Data Protection Regulation gives you rights. The app Clubhouse is actively breaching your rights, and encouraging your friends to do so as well!

This page aims to help you find out more information about how this is happening, and who might be helping Clubhouse in doing so. The idea is that the GDPR also gives you some rights to transparency, which the template below will help you exercise to their maximum.

If you would like to discuss this further, you are welcome to email clubhouse@personaldata.io or to contribute to the thread in our forum.

Instructions

Complete the text below by filling in the parts in brackets (for instance "<< FIRST_NAME LAST_NAME >>") and send it. That's it!

Direct link

You can edit as described above, then directly send the request from your mail client. Alternatively, you can copy/paste the email template below.

Email template

Email recipient address

mailto:support@alphaexplorationco.com (remove the mailto, or click to directly open a draft email)

Email subject

"GDPR request to Clubhouse"

Email body

Dear Clubhouse,

This is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions.

Due to specific growth hacking mechanisms you employ, it similarly concerns some of your users, who might already be in breach of GDPR.

Identification

It is natural that you will need to identify me and make sure I am who I claim to be. I understand that according to Article 11 GDPR, and particularly Art 11.2, you might thus need additional information. The following information should help you locate my personal data:

  • e-mail address: << ADD VALUE >>;
  • telephone number: << ADD VALUE >>.

You should be able to verify easily by email address simply by responding to my email.

I would encourage you to verify the telephone number by simply calling me.

Copies of my personal data

I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request. This request is directly addressed to you, and concerns data you hold directly but also joint controllership data (GDPR Art 26), jointly held with other data controllers. Some of those other controllers would also include some of your users (particularly those who have already breached GDPR and are located in Belgium, in light of the Twoo decision).

As explained above, this request covers all my personal data. I will break it down into three parts, according to Art 20, Art 15 and Art 26.

Article 20

For data falling within the right to data portability (GDPR, art 20), which includes all data I have provided *and* which have been indirectly observed about me (Article 29 Working Party, *Guidelines on the Right to Data Portability (WP 242)*, 13 December 2016, 8) and where lawful bases for processing include consent or contract, I wish to have that data:

- **sent to me in commonly used, structured, machine-readable format**, such as a CSV file. A PDF is not a machine-readable format (Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018).

- accompanied with an **intelligible description of all variables.**

Since I am not a user of Clubhouse, I expect this data to be nil (short of this email).

Article 15

For all personal data not falling within portability, I would like to request, under the right to access (GDPR, art 15):

- information provided to you by third parties, **including users**

- **a copy sent to me in electronic format**. This includes - but is not limited to - any data derived about me, such as opinions, inferences, settings and preferences. (Note that opinions, inferences and the like are considered personal data. See Case C‑434/16 *Peter Nowak v Data Protection Commissioner* [2017] ECLI:EU:C:2017:994, 34.) For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design.

Article 26

Given the nature of the growth hacking you engage in, I fully expect the referral mechanisms you employ not to fall within the household exemption in the GDPR. This interpretation is confirmed by the recent Twoo decision of the Belgian Data Protection Authority: https://iapp.org/news/a/tell-a-friend-but-only-with-your-friends-consent/ As a consequence, the processing of this data falls within a joint controllership scheme (GDPR Art 26). Mirroring the direct exercise of my rights with respect to you described above, I also wish to exercise these rights with against any of your joint controllers - but, as allowed via Art 26(3) by reaching out to you. Finally, I wish - as described in Art 26(2) - to have access to the essence of the arrangement described in Art 26(1).


Metadata on processing

This request also includes the metadata I am entitled to under the GDPR.

Information on controllers, processors, source and transfers

- The **identity of all joint controllers** of my personal data, as well as the essence of you contracts with them (Article 26).

- Any **third parties to whom data has been disclosed**, named with contact details in accordance with Article 15(1)(c). Please note that the European data protection regulators have stated that by default, controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. ( Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018 ) Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis (Article 29 Working Party, ‘Guidelines on Consent under Regulation 2016/679’ (WP259 rev.01, 10 April 2018) 13).

- If any data was not collected, observed or inferred from me directly, please provide precise information about **the source of that data**, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)).

- Please confirm where my personal data is physically stored (including backups) and at the very least **whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers)**.

Information on purposes and legal basis

- All **processing purposes and the lawful basis for those purposes by category of personal data**. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 35. ). A table may be the best way to display this information.

- The **specified legitimate interest** where legitimate interest is relied upon (Article 14(2)(b)).

Information on automated decision-making

- Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h))

Information on storage

- Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d).

Submission Form

Please note that it is not legal to require data subjects to use an in-house form. (see for instance UK Information Commissioner’s Office, ‘Subject Access Code of Practice’ (9 June 2017) p 13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019), stating that 'even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory')

Further assistance

If you do not normally deal with these requests, please pass this email to your Data Protection Officer. If you need advice on dealing with this request, any European Data Protection Authority should be able to provide you with assistance. In accordance with the law, I look forward to hearing from you within one month of receipt.

Regards,

<< FIRST_NAME LAST_NAME >>