Skip to content

Instantly share code, notes, and snippets.

@RubenVerborgh
Created February 15, 2019 18:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save RubenVerborgh/75f2fc186179a1793b6667776e5a1f16 to your computer and use it in GitHub Desktop.
Save RubenVerborgh/75f2fc186179a1793b6667776e5a1f16 to your computer and use it in GitHub Desktop.
Facebook scamming their way out of a GDPR Subject Access Request
Hi Ruben,
We refer to your request in accordance with Article 15 of the Data Protection Regulation 2016/679 ("GDPR") which we received on 1/14/2019.
1. How can I access my personal data on Facebook?
As a Facebook user, you can access your Facebook user information, including photos, posts, reactions and comments, using the Access Your Information tool which allows you to view your account data at any time and in a single place. We've categorised this information by type so you can find what you're looking for.
The Access Your Information tool is available in the “Your Facebook Information” section of the settings.
To view Your Facebook Information from a computer:
1. Go to the top right of Facebook and click .
2. Click Settings.
3. Click Your Facebook Information.
4. Go to the information you want to review and click View.
The Your Facebook Information section also includes tools and resources to help you manage, download and delete your information on Facebook.
2. What categories of personal data does Facebook collect about me? And where does the personal data come from?
The data categories that Facebook holds about you depend on how you use Facebook Products. These data categories and their sources are clearly set out in our Data Policy (accessible via
https://www.facebook.com/policy.php
) as follows:
 Information and content you provide. We collect the content, communications and other information you provide when you use our Products, including when you sign up for an account, create or share content, and message or communicate with others. This can include information in or about the content you provide (like metadata), such as the location of a photo or the date a file was created. It can also include what you see through features we provide, such as our camera, so we can do things like suggest masks and filters that you might like, or give you tips on using portrait mode. Our systems automatically process content and communications you and others provide to analyze context and what's in them for the purposes described below. Data with special protections:You can choose to provide information in your Facebook profile fields or Life Events about your religious views, political views, who you are "interested in," or your health. This and other information (such as racial or ethnic origin, philosophical beliefs or trade union membership) is subject to special protections under EU law.
 Networks and connections. We collect information about the people, Pages, accounts, hashtags and groups you are connected to and how you interact with them across our Products, such as people you communicate with the most or groups you are part of. We also collect contact information if you choose to upload, sync or import it from a device (such as an address book or call log or SMS log history), which we use for things like helping you and others find people you may know and for the other purposes listed below.
 Your usage. We collect information about how you use our Products, such as the types of content you view or engage with; the features you use; the actions you take; the people or accounts you interact with; and the time, frequency and duration of your activities. For example, we log when you're using and have last used our Products, and what posts, videos and other content you view on our Products. We also collect information about how you use features like our camera.
 Information about transactions made on our Products. If you use our Products for purchases or other financial transactions (such as when you make a purchase in a game or make a donation), we collect information about the purchase or transaction. This includes payment information, such as your credit or debit card number and other card information; other account and authentication information; and billing, shipping and contact details.
 Things others do and information they provide about you. We also receive and analyze content, communications and information that other people provide when they use our Products. This can include information about you, such as when others share or comment on a photo of you, send a message to you, or upload, sync or import your contact information.
 Device Information. We collect information from and about the computers, phones, connected TVs and other web-connected devices you use that integrate with our Products, and we combine this information across different devices you use. For example, we use information collected about your use of our Products on your phone to better personalize the content (including ads) or features you see when you use our Products on another device, such as your laptop or tablet, or to measure whether you took an action in response to an ad we showed you on your phone on a different device. Information we obtain from these devices includes:
o Device attributes: information such as the operating system, hardware and software versions, battery level, signal strength, available storage space, browser type, app and file names and types, and plugins.
o Device operations: information about operations and behaviors performed on the device, such as whether a window is foregrounded or backgrounded, or mouse movements (which can help distinguish humans from bots).
o Identifiers: unique identifiers, device IDs, and other identifiers, such as from games, apps or accounts you use, and Family Device IDs (or other identifiers unique to Facebook Company Products associated with the same device or account).
o Device signals: Bluetooth signals, and information about nearby Wi-Fi access points, beacons, and cell towers.
o Data from device settings: information you allow us to receive through device settings you turn on, such as access to your GPS location, camera or photos.
o Network and connections: information such as the name of your mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed and, in some cases, information about other devices that are nearby or on your network, so we can do things like help you stream a video from your phone to your TV.
o Cookie data: data from cookies stored on your device, including cookie IDs and settings.
 Information from partners. Advertisers, app developers, and publishers can send us information through Facebook Business Tools they use, including our social plug-ins (such as the Like button), Facebook Login, our APIs and SDKs, or the Facebook pixel. These partners provide information about your activities off Facebook—including information about your device, websites you visit, purchases you make, the ads you see, and how you use their services—whether or not you have a Facebook account or are logged into Facebook. For example, a game developer could use our API to tell us what games you play, or a business could tell us about a purchase you made in its store. We also receive information about your online and offline actions and purchases from third-party data providers who have the rights to provide us with your information.Partners receive your data when you visit or use their services or through third parties they work with. We require each of these partners to have lawful rights to collect, use and share your data before providing any data to us.
3. How does Facebook use my personal data?
As set out in our Data Policy, Facebook uses the information held about its users to:
 Provide, personalise and improve our Products. We use the information that we have to deliver our Products, including to personalise features and content (including your News Feed, Instagram Feed, Instagram Stories and ads) and make suggestions for you (such as groups or events you may be interested in or topics you may want to follow) on and off our Products. To create personalised Products that are unique and relevant to you, we use your connections, preferences, interests and activities based on the data that we collect and learn from you and others (including any data with special protections that you choose to provide where you have given your explicit consent); how you use and interact with our Products; and the people, places or things that you're connected to and interested in on and off our Products.
o Information across Facebook Products and devices: We connect information about your activities on different Facebook Products and devices to provide a more tailored and consistent experience on all Facebook Products that you use, wherever you use them. For example, we can suggest that you join a group on Facebook that includes people you follow on Instagram or communicate with using Messenger. We can also make your experience more seamless, for example, by automatically filling in your registration information (such as your phone number) from one Facebook Product when you sign up for an account on a different Product.
o Location-related information: We use location-related information – such as your current location, where you live, the places you like to go, and the businesses and people you're near – to provide, personalise and improve our Products, including ads, for you and others. Location-related information can be based on things such as precise device location (if you've allowed us to collect it), IP addresses and information from your and others' use of Facebook Products (such as check-ins or events you attend).
o Product research and development: We use the information we have to develop, test and improve our Products, including by conducting surveys and research, and testing and troubleshooting new products and features.
o Face recognition: If you have it turned on, we use face recognition technology to recognise you in photos, videos and camera experiences. The face recognition templates that we create are data with special protections under EU law. If we introduce face recognition technology to your Instagram experience, we will let you know first, and you will have control over whether we use this technology for you.
o Ads and other sponsored content: We use the information we have about you – including information about your interests, actions and connections – to select and personalise ads, offers and other sponsored content that we show you.
 Provide measurement, analytics and other business services. We use the information that we have (including your activity off our Products, such as the websites you visit and ads you see) to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and understand the types of people who use their services and how people interact with their websites, apps and services.
 Promote safety, integrity and security. We use the information that we have to verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, maintain the integrity of our Products, and promote safety and security on and off Facebook Products. For example, we use data that we have to investigate suspicious activity or breaches of our Terms or Policies, or to detect when someone needs help.
 Communicate with you. We use the information that we have to send you marketing communications, communicate with you about our Products and let you know about our Policies and Terms. We also use your information to respond to you when you contact us.
 Research and innovate for social good. We use the information that we have (including from research partners who we collaborate with) to conduct and support research and innovation on topics of general social welfare, technological advancement, public interest, health and well-being. For example, we analyse information that we have about migration patterns during crises to aid relief efforts.
Facebook is a complex system, and we use various algorithms to ensure that you see the most engaging and relevant content. The precise details of these algorithms are confidential, and sharing them with would adversely affect our IP and trade secrets. In addition, while these algorithms help to customise the content you see on Facebook, they do not constitute the sole basis for any decision significantly affecting you (within the meaning of Article 15(1)(h) of the GDPR). As a result, we are not in a position to provide you the precise details of our algorithms.
However, we take pride in ensuring that our users understand how Facebook works, so we set out below a description of three of the main ways we make decisions that affect your Facebook experience: (i) the content that appears in your newsfeed; (ii) the ads that you receive on Facebook; and (iii) the apps we recommend to you.
 Newsfeed. The stories that show in your News Feed are influenced by your connections and activity on Facebook. This helps you to see more stories that interest you from friends you interact with the most. The number of comments and likes a post receives and what kind of story it is (ex: photo, video, status update) can also make it more likely to appear in your News Feed;
 Advertising. We want the ads you see on Facebook to be as interesting and useful to you as possible. To decide which ads to show you, we use:
o Information you share and your activities on Facebook (ex: Pages you like).
o Other information about you from your Facebook account (ex: your age, your gender, your location, the devices you use to access Facebook).
o Information advertisers and our marketing partners share with us that they already have, like your email address.
o Your activity on websites and apps off of Facebook;
 Apps. We suggest apps and games based on the ones you and your friends like and use regularly. For example, if you or many of your friends play word games, the App Center will suggest similar things.
4. How and with whom does Facebook share my personal data?
As explained in our Data Policy and subject to your right of access under Article 15(1)(c) GDPR (“recipients or categories of recipients to whom the personal data have been disclosed”), the categories of recipients and the ways in which your personal data is shared are as follows:
 People and accounts that you share and communicate with. When you share and communicate using our Products, you choose the audience for what you share. For example, when you post on Facebook, you select the audience for the post, such as a group, all of your friends, the public or a customised list of people. Similarly, when you use Messenger or Instagram to communicate with people or businesses, those people and businesses can see the content you send. Your network can also see actions that you have taken on our Products, including engagement with ads and sponsored content. We also let other accounts see who has viewed their Facebook or Instagram Stories.
o Public information can be seen by anyone, on or off our Products, including if they don't have an account. This includes your Instagram username, any information you share with a public audience, information in your public profile on Facebook, and content you share on a Facebook Page, public Instagram account or any other public forum, such as Facebook Marketplace. You, other people using Facebook and Instagram, and we can provide access to or send public information to anyone on or off our Products, including in other Facebook Company Products, in search results or through tools and APIs. Public information can also be seen, accessed, reshared or downloaded through third-party services such as search engines, APIs and offline media such as TV, and by apps, websites and other services that integrate with our Products.
 Content that others share or reshare about you. You should consider who you choose to share with, because people who can see your activity on our Products can choose to share it with others on and off our Products, including people and businesses outside the audience that you shared with. For example, when you share a post or send a message to specific friends or accounts, they can download, screenshot or reshare that content to others across or off our Products, in person or in virtual reality experiences such as Facebook Spaces. Also, when you comment on someone else's post or react to their content, your comment or reaction is visible to anyone who can see the other person's content, and that person can change the audience later. People can also use our Products to create and share content about you with the audience they choose.For example, people can share a photo of you in a story or mention, tag you at a location in a post or share information about you in their posts or messages.
 Information about your active status or presence on our Products. People in your networks can see signals telling them whether you are active on our Products, including whether you are currently active on Instagram, Messenger or Facebook, or when you last used our Products.
 Apps, websites and third-party integrations on or using our Products. When you choose to use third-party apps, websites or other services that use, or are integrated with, our Products, they can receive information about what you post or share. For example, when you play a game with your Facebook friends or use a Facebook Comment or Share button on a website, the game developer or website can receive information about your activities in the game or receive a comment or link that you share from the website on Facebook. Also, when you download or use such third-party services, they can access your public profile on Facebook, and any information that you share with them. Apps and websites that you use may receive your list of Facebook friends if you choose to share it with them.But apps and websites that you use will not be able to receive any other information about your Facebook friends from you, or information about any of your Instagram followers (although your friends and followers may, of course, choose to share this information themselves). Information collected by these third-party services is subject to their own terms and policies, not this one. Devices and operating systems providing native versions of Facebook and Instagram (i.e. where we have not developed our own first-party apps) will have access to all information that you choose to share with them, including information that your friends share with you, so they can provide our core functionality to you.of course, choose to share this information themselves). Information collected by these third-party services is subject to their own terms and policies, not this one. Devices and operating systems providing native versions of Facebook and Instagram (i.e. where we have not developed our own first-party apps) will have access to all information that you choose to share with them, including information that your friends share with you, so they can provide our core functionality to you.of course, choose to share this information themselves). Information collected by these third-party services is subject to their own terms and policies, not this one. Devices and operating systems providing native versions of Facebook and Instagram (i.e. where we have not developed our own first-party apps) will have access to all information that you choose to share with them, including information that your friends share with you, so they can provide our core functionality to you.where we have not developed our own first-party apps) will have access to all information that you choose to share with them, including information that your friends share with you, so they can provide our core functionality to you.where we have not developed our own first-party apps) will have access to all information that you choose to share with them, including information that your friends share with you, so they can provide our core functionality to you.
 New owner. If the ownership or control of all or part of our Products or their assets changes, we may transfer your information to the new owner.
 Sharing with third-party partners. We work with third-party partners who help us provide and improve our Products or who use Facebook Business Tools to grow their businesses, which makes it possible to operate our companies and provide free services to people around the world. We don't sell any of your information to anyone and we never will. We also impose strict restrictions on how our partners can use and disclose the data we provide. Here are the types of third parties that we share information with:
o Partners who use our analytics services. We provide aggregated statistics and insights that help people and businesses understand how people are engaging with their posts, listings, Pages, videos and other content on and off the Facebook Products. For example, Page admins and Instagram business profiles receive information about the number of people or accounts who viewed, reacted to or commented on their posts, as well as aggregate demographic and other information that helps them understand interactions with their Page or account.
o Advertisers. We provide advertisers with reports about the kinds of people seeing their ads and how their ads are performing, but we don't share information that personally identifies you (information such as your name or email address that by itself can be used to contact you or identifies who you are) unless you give us permission. For example, we provide general demographic and interest information to advertisers (for example, that an ad was seen by a woman between the ages of 25 and 34 who lives in Madrid and likes software engineering) to help them better understand their audience. We also confirm which Facebook ads led you to make a purchase or take an action with an advertiser.
o Measurement partners. We share information about you with companies that aggregate it to provide analytics and measurement reports to our partners.
o Partners offering goods and services in our Products. When you subscribe to receive premium content, or buy something from a seller in our Products, the content creator or seller can receive your public information and other information that you share with them, as well as the information needed to complete the transaction, including shipping and contact details.
o Vendors and service providers. We provide information and content to vendors and service providers who support our business, such as by providing technical infrastructure services, analysing how our Products are used, providing customer service, facilitating payments or conducting surveys.
o Researchers and academics. We also provide information and content to research partners and academics to conduct research that advances scholarship and innovation that supports our business or mission and enhances discovery and innovation on topics of general social welfare, technological advancement, public interest, health and well-being.
o Law enforcement or legal requests. We share information with law enforcement or in response to legal requests in the circumstances outlined in our Data Policy.
5. Where does Facebook transfer, store and process my personal data, and what safeguards does Facebook have in place with respect to this information?
We share information globally, and your information will be transferred or transmitted to, or stored and processed, in countries outside of where you live for purposes outlined in our Data Policy.
We have in place multiple safeguards to lawfully transfer personal data around the world. These data transfers are necessary to provide the services set forth in our Terms and Policies, and to globally operate and provide our Products to you. We utilize standard contract clauses and we rely on the European Commission's adequacy decisions about certain countries, as applicable.
Specific information regarding the exact countries in which our servers are located and the technical and organisational measures we undertake to protect your data are outside the scope of a subject access request.
6. Data retention, account deactivation and deletion
We store data until it is no longer necessary to provide our services and Facebook Products, or until your account is deleted - whichever comes first. This is a case-by-case determination that depends on things like the nature of the data, why it is collected and processed, and relevant legal or operational retention needs. For example, when you search for something on Facebook, you can access and delete that query from within your search history at any time, but the log of that search is deleted after 6 months. If you submit a copy of your government-issued ID for account verification purposes, we delete that copy 30 days after submission.
When you delete your account, we delete things you have posted, such as your photos and status updates, and you won't be able to recover that information later. Information that others have shared about you isn't part of your account and won't be deleted. If you don't want to delete your account but want to temporarily stop using the Products, you can deactivate your account instead.
7. Does Facebook make decisions about me solely on the basis of automated processing pursuant to Article 22 GDPR, and if so, what is the logic involved and significance associated with the processing?
We have not identified any processing in respect of your personal data which falls within the scope of Article 22(1) of the GDPR.
8. What security measures does Facebook have in place? Has my personal data ever been subject to an unauthorised or inadvertent disclosure by Facebook?
We use the information we have to verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, maintain the integrity of our Products, and promote safety and security on and off of Facebook Products. Specific measures we have undertaken to protect the integrity of our systems is outside the scope of a subject access request. Facebook complies with applicable data breach notification laws and will tell you if a notifiable breach takes place.
9. What are your rights provided under GDPR?
Under GDPR, you have the right to rectify and delete your personal data. You also have the right to object to, and restrict certain processing of, your personal data. This includes:
 the right to object to our processing of your data for direct marketing, which you can exercise by using the "unsubscribe" link in such marketing communications, and
 the right to object to our processing of your data where we are performing a task in the public interest or pursuing our legitimate interests or those of a third party.
You also have a right to lodge a complaint with the Office of the Irish Data Protection Commission, which is Facebook’s lead supervisory authority (please see http://www.dataprotection.ie) or your local supervisory authority.
We hope the above is helpful. If you have any further questions or specific concerns please feel free to reach out to us.
Sam
Privacy Operations
Facebook
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment