GDPR-Day: time to request your data – automate it!

So, the European General Data Protection Regulation (GDPR) is in place… Great!

Time for a little experiment: So, I got all these (probably pointless) emails that asked me to review privacy terms and reply immediately. I collected them and decided to turn this around: Let’s rather ask all these organisations and companies what data they own about me and how they use it and for what purpose! (following Paul Nemitz‘ advice to use our GDPR rights ;-))

So here’s what I did:

1) I collected all those mails in an email folder which I extracted as an mbox file. Depending on which e-mail client you use that should be easy to do. NOTE: be sure to filter out SPAM emails beforehand and only contact/collect those which are actual service providers you know (more on that in the update below).

2) I drafted an email, demanding clarification in terms of my GDPR rights, it reads as follows (thanks to my colleague Veronika Treitl for giving me some feedback on the mail text!)

(English version below)

Sie erhalten diese e-mail von mir, nachdem Ihre Organisation mich unlängst im Zusammenhang mit der seit kurzem in Kraft getretenen Europäischen Datenschutzgrundverordnung (DSGVO) kontaktiert hat. Da Sie meine e-mail Adresse verwenden, hat Ihre Organisation offensichtlich personenbezogene Informationen über mich verarbeitet.

In Ausübung meiner Rechte als Bürger der Europäischen Union fordere ich Sie auf, mir folgende Fragen zu beantworten, beziehungsweise mir alle notwendigen Informationen im Zusammenhang mit diesen Fragen mitzuteilen, um Ihren Verpflichtungen im Zusammenhang mit der DSGVO mir gegenüber nachzukommen:

1. Welche personenbezogenen Daten haben Sie über mich? Bitte stellen Sie mir alle Daten, die Sie über mich gespeichert haben, zur Verfügung und schicken Sie mir diese oder machen Sie diese als Download für mich verfügbar.

2. Wann habe ich Ihnen die Zustimmung zur Speicherung dieser Daten erteilt? Bitte stellen Sie mir entweder einen Beweis meiner expliziten Zustimmung zur Verfügung oder klären Sie, aufgrund welcher Rechtsgrundlage bzw. aufgrund welcher Ausnahmebestimmung in der DSGVO Sie meine Daten auch ohne meine explizite Zustimmung speichern oder verarbeiten dürfen bzw. durften.

3. Zu welchem Zwecke haben Sie Daten über mich gespeichert oder gesammelt? Bitte erklären Sie auch hier, aufgrund welcher Rechtsgrundlage (explizite Zustimmung oder andere Rechtsgrundlage) dieser Verwendungszweck zulässig ist bzw. war.

4. Wie wurden meine Daten bisher von Ihnen verarbeitet und zu welchem Zweck? Bitte stellen sie Datum, Zeitpunkt und Zweck der jeweiligen Verarbeitung zur Verfügung.

5. Seit wann haben Sie welche Daten über mich gespeichert und wie lange gedenken Sie diese Daten über mich fortan zu speichern?

6. Wie sind Sie in den Besitz meiner personenbezogenen Daten gekommen, bzw. falls Sie diese nicht direkt von mir erhalten haben, bitte geben Sie die Organisation an, von welcher Sie diese Daten bezogen haben und auf Basis welcher rechtlichen Grundlage oder aufgrund welchen Vertrages die Daten an Sie weitergegeben wurden.

Ich wäre dankbar wenn Sie mir jede dieser Fragen gesammelt in einer Antwort-e-mail (Reply-Funktion, bitte den Betreff nicht ändern) beantworten könnten.

Danke für Ihre Kooperation,
mit freundlichen Grüssen,

Axel Polleres

-------------

You are receiving this mail because your company/organisation contacted me in regards to the European General Data Protection Regulation (GDPR), and, since you have my e-mail-address, you obviously have processed personal data about me.

In execution of my rights as a European citizen resulting from GDPR, I would kindly ask you to answer the following questions and provide me wit the necessary details resulting from your company's obligations through the GDPR:

1. What personal data do you have about me? Please provide *all* details of the data you own and send me the records or make them available for me for download.

2. When did I give you consent to collect my data? Please provide proof and a record of my explicit consent or explain based on which prior legal basis or, respectively, based on which concrete exception (as listed in the GDPR) you are entitled to store and process my data without explicit consent.

3. For what purpose do or did you collect this data? Please, analogous to question 2, clarify in which sense this purpose is covered by either my explicit consent or any other legal basis.

4. How did you process my data so far, when and for what purpose? Please provide record, date, time and purpose of any such processing.

5. How long do, did or do you plan to retain data you collected about me?

6. How did you get into possession of data about me? In case the data has not been provided directly by myself, please provide details about any third party that has provided this data to you and based on which legal basis or contract the data has been shared with you.




I would appreciate if you could answer these questions separately and inline in a single reply to this email (Please use the reply-function and do not change the e-mail Subject if possible).

Thank you for your collaboration,

Axel Polleres

 

3)  I extracted all email addresses, reply-to addresses and subjects from the mbox file from Step 1) with the following python script (it’s ugly, I know, but good enough):

# This creates a CSV with the following header from the mbox file given: 
print("FROM;REPLYTO;SUBJECT")

import mailbox
from email.header import Header, decode_header, make_header

mbox = mailbox.mbox('INBOX/GDPR_mails.mbox/mbox')
for message in mbox:
# try:
 sender = make_header(decode_header(message['from']))
 subject = make_header(decode_header(message['Subject']))
 print(str(sender)+ ";" + str(message['reply-to']) + "; \"Re: " + str(subject) + "\"")

4) Voilá, now I just used this to feed it into a serial mail to send out the mail in bulk to all those companies (around 70 for now)… curious what will come back. I plan to collect, analyse and summarize the results… stay tuned!

Disclaimer: If you want to join the experiment, and try it out yourself, please let me know! It would be interesting to share the return rates and categorize which questions were answered how!What I am particularly interested in is whether the answers and formats of data I get back (if any ;-)) could serve as an input for our recently started W3C Community group on Data Privacy Vocabularies and Controls (DPVCG).

For this to work it would be good if you do NOT modify my mail template such that we get comparable results. Contact me please, if you wanna help!

 

Updates:

May 29th: So, first replies are in, some interesting ones amongst them. As expected, I got several ones who just panickingly promised to remove my data and email immediately from their mailinglists (although I hadn’t even asked for that…), one even offering a bottle of wine to me, which I found very funny :-).

ATTENTION: Another one asked me to send them – in an encrypted channel – a copy of an ID to process my request: I think this may be a valid concern and will keep on monitoring whether/how the people who respond actually ask for confirmation of my identity… this is interesting in several respect and raises additional questions:

• On the one hand: could GDPR data requests that are answered willingly without cross-check of the sender’s identity be used by third parties possibly to “phish” for personal data at companies? Some phishing attacks that try to jump on the band wagon is already happening, BTW, so be careful.
• On the other hand, the phishing might be from the company’s side as well, in terms of data minimality, they do not necessarily need a copy of my ID:  if I sent my request from the email they already have, why would they need confirmation of my real identity in terms of a copy of an ID document and is this even relevant (in fact in my script I might have used a different from address than the one I got their original request from, but if it is sent from an address they have in their database and the e-mail is all the data they identify me with, shouldn’t they just reply with all the data they associate with this e-mail address? In other words: in the case where the only proof of identity the company had so far was your email, I assume that asking back for a stronger proof of identification which reveals more personal data (passport number, and all other credentials in your ID document) etc., such a request back would seem questionable to me.

As a precaution mentioned above, I sent the mails in the script only to senders who are not spam obviously, to be on the safe side… answering anything to spam is never a good idea, since it provides the spammers proof that the address they spammed is actually in use. To the particular example from above, although it is definitely not from a spammer, for now, I answered with a digitally signed printout of the email and argued that a digital signature with my national eID (using handy-signatur.at) is a valid proof that legally is equivalent to a hand-written signature according to EU Directive 910/2014, let’s see how they react. In fact, using the national eID as a signature is an ok, but sub-optimal soluton: the whole thing would rather make a very good use case for techniques like Verifiable Claims and Self-Sovereign-ID.

TU Vienna, who I also contacted, has answered that they have established an online form for GDPR-requests (which also requires to upload a copy of your ID), which seems to indicate they are well-prepared for GDPR.

Flickr and several other companies sent me mails from a “noreply” email address… so I went on to find their support-email addresses online. In the particular case of Flickr, this was partticularly funny, since they had under “Datenschutzerklärung” a generic link to their policies for various countries, of course NOT containing Austria in the list. I went on to look for a contact form or support email on Flickr’s Webpage, after some search and cloicking through their “terms” and “privacy” section finding this contact form page, which turned out not to link to a contact form, and this FAQ page … somehow I managed to get through to a contact form through a login page and posted the request, let’s see whether I will get an answer. It might all be tricky as Flickr is a part of Yahoo and the flickr account is actually registered to my gmail address, whereas I also have a yahoo acount, so eventually two requests sent with two accounts.

The last funny case I can report is postserver.com, Austria’s certified official provider for receiving official public administration communication (according to their Web page certified in compliance with the “Zustellgesetz (ZustG)“)  electronically:  their new GDPR terms and conditions, literally mention an email-address (datenschutz@posterver.com) that bounces 🙂 … they received my request to their support-email address instead.