Line 29: |
Line 29: |
| If your organisation considers me a controller for whom you process | | If your organisation considers me a controller for whom you process |
| ------------------------------------------------------------------- | | ------------------------------------------------------------------- |
− | Furthermore, if your business considers me the controller of any personal data for which your business acts as processor, please provide me **with all the data you process on my behalf in machine readable format** in accordance with your obligation to respect my to determination of the means and purposes of processing. | + | Furthermore, if your business considers me the controller of any personal data for which your business acts as processor, please provide me with all the data you process on my behalf in machine readable format in accordance with your obligation to respect my to determination of the means and purposes of processing. |
− | | |
| | | |
| Metadata on processing | | Metadata on processing |
Line 39: |
Line 38: |
| ------------------------------------------------------------ | | ------------------------------------------------------------ |
| | | |
− | - The **identity of all joint controllers** of my personal data, as well as the essence of you contracts with them (Article 26). | + | - The identity of all joint controllers of my personal data, as well as the essence of you contracts with them (GDPR Article 26). |
− | | |
| | | |
− | - Any **third parties to whom data has been disclosed**, named with contact details in accordance with Article 15(1)(c). Please note that the European data protection regulators have stated that by default, controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients. ( Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018 ) Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis (Article 29 Working Party, ‘Guidelines on Consent under Regulation 2016/679’ (WP259 rev.01, 10 April 2018) 13). | + | - Any third parties to whom data has been disclosed, named with contact details in accordance with Article 15(1)(c). Please note that the European data protection regulators have stated that by default, controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients [3]. Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis [5]. |
| | | |
− | - If any data was not collected, observed or inferred from me directly, please provide precise information about **the source of that data**, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)). | + | - If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)). |
| | | |
− | - Please confirm where my personal data is physically stored (including backups) and at the very least **whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers)**. | + | - Please confirm where my personal data is physically stored (including backups) and at the very least whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers). |
| | | |
| Information on purposes and legal basis | | Information on purposes and legal basis |
| --------------------------------------- | | --------------------------------------- |
| | | |
− | - All **processing purposes and the lawful basis for those purposes by category of personal data**. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 35. | + | - All processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party [6]). A table may be the best way to display this information. |
− | ). A table may be the best way to display this information. | |
| | | |
− | - The **specified legitimate interest** where legitimate interest is relied upon (Article 14(2)(b)). | + | - The specified legitimate interest where legitimate interest is relied upon (Article 14(2)(b)). |
| | | |
| Information on automated decision-making | | Information on automated decision-making |
Line 75: |
Line 72: |
| | | |
| References: | | References: |
| + | ----------- |
| [1] UK Information Commissioner’s Office, Subject Access Code of Practice (9 June 2017) p13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019): 'Even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory'. | | [1] UK Information Commissioner’s Office, Subject Access Code of Practice (9 June 2017) p13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019): 'Even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory'. |
| [2] Article 29 Working Party, Guidelines on the Right to Data Portability (WP 242), 13 December 2016, 8. | | [2] Article 29 Working Party, Guidelines on the Right to Data Portability (WP 242), 13 December 2016, 8. |
− | [3] Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ WP260 rev.01, 11 April 2018. | + | [3] Article 29 Working Party, Guidelines on Transparency under Regulation 2016/679 WP260 rev.01, 11 April 2018. |
| [4] See Case C‑434/16 Peter Nowak v Data Protection Commissioner [2017] ECLI:EU:C:2017:994, 34. | | [4] See Case C‑434/16 Peter Nowak v Data Protection Commissioner [2017] ECLI:EU:C:2017:994, 34. |
| + | [5] Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 WP259 rev.01, 10 April 2018, 13. |
| + | [6] Article 29 Working Party, Guidelines on Transparency under Regulation 2016/679 WP260 rev.01, 11 April 2018, page 35. |
| | | |
| <noinclude> | | <noinclude> |