(Originally posted on LinkedIn, May 15, 2017)
The GDPR provides for a number of remedies for individuals in regards to their personal data, that will put companies through their paces:
- the right to be forgotten and erasure;
- data portability; and
- objection to and restrictions on processing.
The natural next step when someone has written you an annoying letter to find out what a company knows about a data subject, and how it is handling their personal data, is for the author to start exercising those rights.
This gets harder to do in the natural flow of a letter, because of course, the exercise of these rights can arise in so many scenarios. I wanted to highlight individual elements of what data subjects can ask under the GDPR. They may not all come at once, but through the death of a thousand paper cuts, in a series of postcards from hell:
1. Let’s get rectified.
Based on the information that you have provided to me in my subject-access request, it appears you have collected a profile on me based on my purchases. The fact that I am buying a lot of toilet paper is no one’s concern but my own; and it is not due to anything other than I have a lot of guests, not as is implied in the profile, that I am having some kind of organic issues. Please rectify this as soon as possible, as I now understand why I am receiving invitations to purchase medication.
2. Transfer this.
I note that you have been transferring my personal data, namely my meal choices on flights, to the United States, and you have indicated that the basis on which you are making that transfer is based upon the EU-US PNR Agreement. The inferences being drawn from my being a vegetarian are that I am in a suspect group and am being profiled on that basis, which is why I am routinely pulled aside for “random” searches whenever I visit the United States. I request that you delete all information concerning my meal choices that you have collected on me.
3. Your vendor is infectious.
I request you delete my contact information from your customer service vendor in India. I had one interaction to get support for my software a year ago – and now I routinely get calls from India insisting my Windows computer is infected (I own a Macintosh), so your outsourced vendor is not keeping my information confidential. Please confirm that you have followed up with any organization with whom my contact details have been shared with by your vendor. And in future, please restrict processing of my data to my software subscription maintenance.
4. Let my data go.
I have been using your free budget management program on the Internet and now that I understand you are storing my financial and purchase data in countries which have a high rate of identity theft, I no longer wish you to have my data. Prior to deleting it, I would like to ask you to provide all my data in a CSV format that I can use to export to a system which stores its data in the European Union. Please use the attached schema which will support the import into the new system I wish to use.
5. Taking a gamble you have it right.
I have been receiving direct mail from you both by the post and in my e-mail. I am in risk management and I attend conferences on privacy and risk management. I assume that is how you got my contact information, but I do not understand how this got linked to gambling. I don’t find gambling interesting and I don’t know why you would assume that I would want your magazine on gambling, or your e-mails to let me know about gambling events, and the connection with gambling is embarrassing and potentially damaging to my career. Stop sending me anything more and remove my name and address from your lists in relation to gambling.
(Yes, the last one happened to me).