Line 1: |
Line 1: |
| | | |
| Dear , | | Dear , |
− |
| + | |
| This message is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions. Please note that it is not legal to require data subjects to use an in-house form[1]. | | This message is a transparency request under the General Data Protection Regulation, including a subject access request, a portability request, and other specific provisions. Please note that it is not legal to require data subjects to use an in-house form[1]. |
− |
| + | |
| I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request. This message is not in any way to be considered as a complaint. | | I would like to request a copy of all my personal data held and/or undergoing processing. This is both a subject access request and a portability request. This message is not in any way to be considered as a complaint. |
− |
| + | |
| Copies of my personal data | | Copies of my personal data |
− | ========================== | + | =============================== |
− |
| + | |
| This request covers all my personal data including specifically all data belonging to each of the following categories: | | This request covers all my personal data including specifically all data belonging to each of the following categories: |
| | | |
− | 1. Volunteered data - data that I have explicitly shared with you<br> | + | 1. '''Volunteered data''' - data that I have explicitly shared with you<br> |
− | 2. Observed data - data that you have collected about me and my activity through my use of the service or through interactions with your staff.<br> | + | 2. '''Observed data''' - data that you have collected about me and my activity through my use of the service or through interactions with your staff.<br> |
− | 3. Derived data - data you have created and stored about me as a result of analysis, processing or inspection of my data or service activity.<br> | + | 3. '''Derived data''' - data you have created and stored about me as a result of analysis, processing or inspection of my data or service activity.<br> |
− | 4. Acquired data - data you have acquired from any external sources including e.g. credit checks, other users or advertiser’s lists.<br> | + | 4. '''Acquired data''' - data you have acquired from any external sources including e.g. credit checks, other users or advertiser’s lists.<br> |
− | 5. Sharing & Handling data - all metadata and handling information (as detailed below) about who you have shared my data with, as well as copies of the specific data that has been shared, and details of how you have stored and handled and processed my specific data.<br> | + | 5. '''Sharing & Handling data''' - all metadata and handling information (as detailed below) about who you have shared my data with, as well as copies of the specific data that has been shared, and details of how you have stored and handled and processed my specific data.<br> |
− | 6. Consents - where you rely on my consent to process my personal data, please provide details of those consents including when and by what means I gave consent, and the scope of that consent, and how I might change that consent if I wanted to.<br> | + | 6. '''Consents''' - where you rely on my consent to process my personal data, please provide details of those consents including when and by what means I gave consent, and the scope of that consent, and how I might change that consent if I wanted to.<br> |
| | | |
| In particular, please make sure that all personal data you state in your privacy policy you collect, create, store or share is provided. Please also make sure to include data for which you remain controller that is held by third parties. | | In particular, please make sure that all personal data you state in your privacy policy you collect, create, store or share is provided. Please also make sure to include data for which you remain controller that is held by third parties. |
| | | |
− | For any of these categories where you do not hold any data about me, please explicitly confirm that you do not hold any data of that type about me. | + | For any of these categories where you do not hold any data about me, '''please explicitly confirm''' that you do not hold any data of that type about me. |
− |
| + | |
| Article 20 | | Article 20 |
− |
| + | |
| For data falling within the right to data portability (GDPR article 20), which includes all data I have provided and which have been indirectly observed about me [2] and where lawful bases for processing include consent or contract, I wish to have that data: | | For data falling within the right to data portability (GDPR article 20), which includes all data I have provided and which have been indirectly observed about me [2] and where lawful bases for processing include consent or contract, I wish to have that data: |
| · sent to me in commonly used, structured, machine-readable format, such as a CSV file. A PDF is not a machine-readable format [3]. <br> | | · sent to me in commonly used, structured, machine-readable format, such as a CSV file. A PDF is not a machine-readable format [3]. <br> |
| · accompanied with an intelligible description of all variables or abbreviations.<br> | | · accompanied with an intelligible description of all variables or abbreviations.<br> |
− |
| + | |
| Article 15 | | Article 15 |
− |
| + | |
| For all personal data not falling within portability, I would like to request, under the right to access (GDPR, article 15): | | For all personal data not falling within portability, I would like to request, under the right to access (GDPR, article 15): |
− |
| + | |
| · a copy sent to me in electronic format. This includes any data derived about me, such as opinions, inferences, settings and preferences. Note that opinions, inferences and the like are considered personal data [4]. For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design. | | · a copy sent to me in electronic format. This includes any data derived about me, such as opinions, inferences, settings and preferences. Note that opinions, inferences and the like are considered personal data [4]. For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design. |
| | | |
Line 48: |
Line 48: |
| · If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)). | | · If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)). |
| · Please confirm where my personal data is physically stored (including backups) and at the very least whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers). | | · Please confirm where my personal data is physically stored (including backups) and at the very least whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers). |
− |
| + | |
| Information on purposes and legal basis | | Information on purposes and legal basis |
− |
| + | |
| · All processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party [6]). A table may be the best way to display this information. | | · All processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party [6]). A table may be the best way to display this information. |
| · The specified legitimate interest where legitimate interest is relied upon (Article 14(2)(b)). | | · The specified legitimate interest where legitimate interest is relied upon (Article 14(2)(b)). |
− |
| + | |
| Information on automated decision-making | | Information on automated decision-making |
− |
| + | |
| · Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h)) | | · Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h)) |
− |
| + | |
| Information on storage | | Information on storage |
− |
| + | |
| · Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d). | | · Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d). |
− |
| + | |
| I understand that according to Article 11 GDPR, and particularly Art 11.2, you might need additional information to identify me for the purpose of this request. The following information should help you locate my personal data: | | I understand that according to Article 11 GDPR, and particularly Art 11.2, you might need additional information to identify me for the purpose of this request. The following information should help you locate my personal data: |
− |
| + | |
| << PARTICIPANT TO INSERT USERNAME, ACCOUNT ID, PHONE NUMBER OR OTHER APPROPRIATE IDENTIFIERS HERE >> | | << PARTICIPANT TO INSERT USERNAME, ACCOUNT ID, PHONE NUMBER OR OTHER APPROPRIATE IDENTIFIERS HERE >> |
− |
| + | |
| If you do not normally deal with these requests, please pass this email to your Data Protection Officer. If you need advice on dealing with this request, any European Data Protection Authority should be able to provide you with assistance. | | If you do not normally deal with these requests, please pass this email to your Data Protection Officer. If you need advice on dealing with this request, any European Data Protection Authority should be able to provide you with assistance. |
− |
| + | |
| In accordance with the law, I look forward to hearing from you within one month of receipt. | | In accordance with the law, I look forward to hearing from you within one month of receipt. |
− |
| + | |
| Regards, | | Regards, |
| << PARTICIPANT FULL NAME >> | | << PARTICIPANT FULL NAME >> |
− |
| + | |
| References: | | References: |
| [1] UK Information Commissioner’s Office, Subject Access Code of Practice (9 June 2017) p13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019): 'Even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory'. <br> | | [1] UK Information Commissioner’s Office, Subject Access Code of Practice (9 June 2017) p13; Information Commissioner’s Office, ‘Guide to the GDPR: Right to access’ (22 May 2019): 'Even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally [..] although you may invite individuals to use a form, you must make it clear that it is not compulsory'. <br> |