Line 1: |
Line 1: |
| Dear {{wikidata|label|{{{1}}}}}, | | Dear {{wikidata|label|{{{1}}}}}, |
| | | |
− | This is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions. Please note that it is not legal to require data subjects to use an in-house form. (see for instance UK Information Commissioner’s Office, ‘Subject Access Code of Practice’ (9 June 2017) p 13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019), stating that 'even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory'). | + | This is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions. Please note that it is not legal to *require* data subjects to use an in-house form[1]. |
| | | |
| I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request. | | I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request. |
Line 12: |
Line 12: |
| |sep=;}}.|}} | | |sep=;}}.|}} |
| | | |
− | For any of those items listed above which you do not hold any data about me, please explicitly confirm that you do not hold any data of that type about me. | + | For any and all items where you do not hold any data about me, please explicitly confirm that you do not hold any data of that type about me. |
| | | |
| Article 20 | | Article 20 |
| ---------- | | ---------- |
− | For data falling within the right to data portability (GDPR, art 20), which includes all data I have provided *and* which have been indirectly observed about me (Article 29 Working Party, *Guidelines on the Right to Data Portability (WP 242)*, 13 December 2016, 8) and where lawful bases for processing include consent or contract, I wish to have that data: | + | For data falling within the right to data portability (GDPR article 20), which includes all data I have provided *and* which have been indirectly observed about me [2] and where lawful bases for processing include consent or contract, I wish to have that data: |
| | | |
− | - **sent to me in commonly used, structured, machine-readable format**, such as a CSV file. A PDF is not a machine-readable format (Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018). | + | - sent to me in commonly used, structured, machine-readable format, such as a CSV file. A PDF is not a machine-readable format [3]. |
− | | + | - accompanied with an intelligible description of all variables. |
− | - accompanied with an **intelligible description of all variables.** | |
| | | |
| Article 15 | | Article 15 |
| ---------- | | ---------- |
− | For all personal data not falling within portability, I would like to request, under the right to access (GDPR, art 15): | + | For all personal data not falling within portability, I would like to request, under the right to access (GDPR, article 15): |
| | | |
− | - **a copy sent to me in electronic format**. This includes any data derived about me, such as opinions, inferences, settings and preferences. (Note that opinions, inferences and the like are considered personal data. See Case C‑434/16 *Peter Nowak v Data Protection Commissioner* [2017] ECLI:EU:C:2017:994, 34.) For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design. | + | - a copy sent to me in electronic format. This includes any data derived about me, such as opinions, inferences, settings and preferences. Note that opinions, inferences and the like are considered personal data [4]. For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design. |
| | | |
| If your organisation considers me a controller for whom you process | | If your organisation considers me a controller for whom you process |
Line 74: |
Line 73: |
| | | |
| << FIRST_NAME LAST_NAME >> | | << FIRST_NAME LAST_NAME >> |
| + | |
| + | References: |
| + | [1] UK Information Commissioner’s Office, Subject Access Code of Practice (9 June 2017) p13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019): 'Even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory'. |
| + | [2] Article 29 Working Party, Guidelines on the Right to Data Portability (WP 242), 13 December 2016, 8. |
| + | [3] Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018. |
| + | [4] See Case C‑434/16 Peter Nowak v Data Protection Commissioner [2017] ECLI:EU:C:2017:994, 34. |
| + | |
| <noinclude> | | <noinclude> |
| == Alex's note == | | == Alex's note == |
| This is my copy of [[https://wiki.personaldata.io/wiki/Template:Access access]]. | | This is my copy of [[https://wiki.personaldata.io/wiki/Template:Access access]]. |
| </noinclude> | | </noinclude> |