(Originally posted on LinkedIn, April 3 2017)
By Constantine Karbaliotis and Paul Breitbarth (with thanks to Paul for introducing an experienced DPA perspective…Paul thinks I am too judgmental…)
So let’s imagine how the letter from hell has been answered in a typical organization. All these annoying questions have been asked, and they may have to be answered. The scope of the answers will depend on the context of what the subject is legitimately making a complaint or inquiry about.
If you are not prepared and do not have an adequate picture of your data processing activities and privacy management processes, then answering any subject-access request will be time consuming. You won’t even know who knows the answers to some of these questions, and in your exploration of your companies’ subterranean caverns of data processing, you come up against the deadline.
So naturally, you have written back initially in the one-month period following the subject-access request, to advise that you will require a further two months (Article 12(3) GDPR). And despite your best efforts and intentions to get answers from your IT department, your HR department, marketing and everyone else who presumably should know how this individual’s information is being processed, you find yourself coming up against the extended deadline again.
And you slip over it. Not by much, but you are late. And your answers are, admittedly, a bit vague and perhaps not that persuasive. The data subject does what data subjects will do – they complain to their national or local DPA. And you get another letter…
The DPA Inquires…
Dear Sir, Madam,
On <date>, the <jurisdiction> DPA has received a complaint from <name>, following a data subject access request filed with your company on <date access request>. <Name> has asserted that the processing of his/her data by your organisation, is infringing his/her fundamental right to data protection as laid down in the General Data Protection Regulation (Regulation (EU) 2016/679).
Based on the claims in the complaint, the copies of the correspondence between <name> and <name DPO>, the DPO of your organisation, and in accordance with Articles 57(1)f and 77 of said Regulation, I have decided to open an investigation into the data processing operations of your organisation, and the way you provide access to data subjects’ information processed in your files and systems. I trust that your organisation will cooperate fully with this investigation. I do however stress that, if required, I can order your cooperation under Article 58(1) GDPR.
I request that you provide an answer to the following questions within four weeks of today. Please be so kind as to answer the questions extensively, providing all information, as well as supporting documentation, that you consider relevant for this investigation.
1. <Name> has asked you to provide a digital copy of all information processed by your organisation about him/her. On <date>, you have indeed provided a pdf file, containing the name, address and contact details stored in your systems about <name>. Any further information, including for example the contact <name> has had with your customer service team, seems to be lacking. Also information about <name>’s financial relations with your organisation has not been provided. I therefore request that you provide a full copy of all information your organisation processes about <name>.
2. <Name> has indicated that the pdf file with his/her information you provided, also contained information related to his/her social media accounts, even though that information has never been provided to you by <name>. In line with Article 15(1)g GDPR, please provide information about the provenance of this data.
3. In addition, you have not indicated what information you have concerning the profile you have developed of <name> based upon usage of your website and in response to the input provided by <name> in response to the surveys and other mechanisms you have provided to give your organisation feedback. In particular, <name> notes that a third-party organisation processing information on your behalf, places a cookie on users’ computers. This appears to be used to track users’ activities not only on your website, but as users leave and go to other websites, their activities on those websites. Please elaborate.
4. In your correspondence with <name>, you have indicated you process personal data for marketing purposes, without further specification how this information is processed and with which third parties this data is shared. Please elaborate.
5. <Name> also requested that you identify what countries his/her personal data was stored in or accessible from. You indicated that his/her data was stored in a data centre in the United States. However, <name> has pointed out that in calling for support in relation to your <service/product> that s/he was put in touch with customer support representatives in India. Your response therefore is complained of as being inaccurate.
6. <name> specifically requested information concerning use of cloud services to store or process personal data, and your response was that you are not storing his/her personal data in cloud services. Notwithstanding this it is noted that your organization made a public announcement concerning the use of <well-known software company>’s cloud services to augment your processing. Additionally, <name> identified that on at least one occasion s/he was required to exchange files containing personal data with your organisation’s support representatives via <popular file sharing service>.
7. You have provided a list of third-parties with whom you share personal data of <name>, which includes a payment processor as well as a company providing web analytics as noted above. However, your website proudly announced in 2016 a partnership with another third-party to provide related services to assist users with the use of <product/service>, and <name> has in fact received e-mail marketing communications from that partner. You have not listed what information is shared with that partner, nor have you indicated this as a use of the information of <name> in response to the query relating to specific uses of information. You have also not indicated what jurisdiction this partner has stored or has access to <name>’s personal information. Please elaborate on the relation between your company and this partner, as well as the data shared between the two companies.
8. Both in relation to this undisclosed partner as well as your identified third-party processors, you have not indicated if the data is transferred outside of the European Union, and if so, what the legal grounds for transfer of personal data are on which you rely, or your safeguards in relation to the protection of personal data.
9. In response to the question of <name> relating to the retention of personal data, I can only ascertain you have repeated the text of the law, stating personal data is retained “no longer than necessary”. Please provide for each data category and processing purpose the specific retention periods your organisation has decided upon.
10. You have indicated that there had been no breaches of personal data involving <name> as a result of a security or privacy breach. However, <name> has pointed out and I note, that you have notified regulators, namely <State Attorney Generals> in the United States of America, that your company experienced a breach on <date> involving <x,000> individuals in <various states>. This breach arose from a rogue employee accessing and selling personal information from your data centre in the United States, which is where you indicated that data of EU residents is also stored and processed. This information suggests that the EU residents data has also been accessed, or may have been, and I require further details as initially set out in <name>’s letter:
a. Details of each and any such breach at a data centre in the US contained EU residents’ personal data:
b. a general description of what occurred;
c. the date and time of the breach (or the best possible estimate);
d. the date and time the breach was discovered;
e. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);
f. details of the personal data that was disclosed;
g. your company’s assessment of the risk of harm to data subjects, as a result of the breach;
h. a description of the measures taken or that will be taken to prevent further unauthorised access to personal data;
i. what information and advice you provided to affected individuals in the European Union against any harms, including identity theft and fraud.
11. In addition, if it is indeed possible that personal data of EU citizens was or may have been compromised during the breach, I ask you to explain why you have decided not to notify any of the EU data protection authorities until now, as required by Article 33(1) GDPR.
12. Further to the question above, please identify what what mitigating steps you have taken to protect the data of <name> as an EU resident, either prior to or in response to the breach noted above, including
a. Encryption of personal data;
b. Data minimisation strategies; or,
c. Anonymisation or pseudonymisation; or,
d. Any other means.
13. In light of the information concerning the above-noted breach, the questions of <name> which you declined to answer as irrelevant, I find are germane and should be addressed. This included:
a. Information concerning information policies and standards
b. Backup, archival and storage mechanisms.
c. As required by <name>, details as to your:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioural analysis tools, log analysis tools, or audit tools;
14. In light of the basis for the above-noted breach, please provide documentation as to training and awareness delivered to employees and contractors.
15. What data loss prevention measures do you utilise to prevent the type of harm that led to this breach?
Upon receipt of your answers, I will analyse the information received before deciding on next steps in the investigation, including on whether or not an in situ inspection is needed. If I decide to draw up a report of findings, you will have a chance to respond to the draft report before it is published. This includes the opportunity to identify any business confidential information that should not be made public. You may also include in your response to this letter an indication of any information that should be treated as business confidential. I underline that business confidentiality as such is not a reason to withhold information from this investigation.
A copy of this letter will be sent to <name DPO>.
Inspector – <jurisdiction> DPA