Line 25: |
Line 25: |
| | | |
| For data falling within the right to data portability (GDPR article 20), which includes all data I have provided and which have been indirectly observed about me [2] and where lawful bases for processing include consent or contract, I wish to have that data: | | For data falling within the right to data portability (GDPR article 20), which includes all data I have provided and which have been indirectly observed about me [2] and where lawful bases for processing include consent or contract, I wish to have that data: |
− | · sent to me in commonly used, structured, machine-readable format, such as a CSV file. A PDF is not a machine-readable format [3]. <br>
| + | * sent to me in commonly used, structured, machine-readable format, such as a CSV file. A PDF is not a machine-readable format [3]. <br> |
− | · accompanied with an intelligible description of all variables or abbreviations.<br>
| + | * accompanied with an intelligible description of all variables or abbreviations.<br> |
| | | |
| Article 15 | | Article 15 |
Line 32: |
Line 32: |
| For all personal data not falling within portability, I would like to request, under the right to access (GDPR, article 15): | | For all personal data not falling within portability, I would like to request, under the right to access (GDPR, article 15): |
| | | |
− | · a copy sent to me in electronic format. This includes any data derived about me, such as opinions, inferences, settings and preferences. Note that opinions, inferences and the like are considered personal data [4]. For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design.
| + | * a copy sent to me in electronic format. This includes any data derived about me, such as opinions, inferences, settings and preferences. Note that opinions, inferences and the like are considered personal data [4]. For data that is available to the controller in machine readable format, it must be provided to me in that form in accordance with the principle of fairness and provision of data protection by design. |
| | | |
| If your organisation considers me a controller for whom you process | | If your organisation considers me a controller for whom you process |
Line 43: |
Line 43: |
| This request also includes the metadata I am entitled to under the GDPR. | | This request also includes the metadata I am entitled to under the GDPR. |
| | | |
− | Information on controllers, processors, source and transfers | + | Information on controllers, processors, source and transfers<br> |
− | · The identity of all joint controllers of my personal data, as well as the essence of you contracts with them (GDPR Article 26).<br>
| + | * The identity of all joint controllers of my personal data, as well as the essence of you contracts with them (GDPR Article 26).<br> |
− | · Any third parties to whom data has been disclosed, named with contact details in accordance with Article 15(1)(c). Please note that the European data protection regulators have stated that by default, controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients [3]. Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis [5].<br>
| + | * Any third parties to whom data has been disclosed, named with contact details in accordance with Article 15(1)(c). Please note that the European data protection regulators have stated that by default, controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients [3]. Please note that in the case of any transferred data processed on the basis of consent, there is no option to just name categories of recipients without invalidating that legal basis [5].<br> |
− | · If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)).<br>
| + | * If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)).<br> |
− | · Please confirm where my personal data is physically stored (including backups) and at the very least whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers).<br>
| + | * Please confirm where my personal data is physically stored (including backups) and at the very least whether it has exited the EU at any stage (if so, please also detail the legal grounds and safeguards for such data transfers).<br> |
| | | |
| Information on purposes and legal basis | | Information on purposes and legal basis |
| | | |
− | · All processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party [6]). A table may be the best way to display this information.<br>
| + | * All processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable (Article 29 Working Party [6]). A table may be the best way to display this information.<br> |
− | · The specified legitimate interest where legitimate interest is relied upon (Article 14(2)(b)).<br>
| + | * The specified legitimate interest where legitimate interest is relied upon (Article 14(2)(b)).<br> |
| | | |
| Information on automated decision-making | | Information on automated decision-making |
| | | |
− | · Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h))
| + | * Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR). If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h)) |
| | | |
| Information on storage | | Information on storage |
| | | |
− | · Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d).
| + | * Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d). |
| | | |
| I understand that according to Article 11 GDPR, and particularly Art 11.2, you might need additional information to identify me for the purpose of this request. The following information should help you locate my personal data: | | I understand that according to Article 11 GDPR, and particularly Art 11.2, you might need additional information to identify me for the purpose of this request. The following information should help you locate my personal data: |