Created
January 3, 2020 16:46
-
-
Save aendra-rininsland/e5a3de77040493632a7a277164f5ee0a to your computer and use it in GitHub Desktop.
GDPR Subject Access Request -- Template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hi there! Please forward this to your GDPR compliance department. Thank you! | |
| -- | |
| To whom it may concern — I'm interested in what sorts of data your company collects about me. | |
| To wit, I would like to file a Subject Access Request (SAR) under the EU General Data Protection Regulation (GDPR) for all personal information relating to myself using the following personal identifiers: | |
| [ list which PII you feel or can prove is held by the entity in question ] | |
| These all qualify as personally-identifiable information (PII) as per GDPR articles 2, 4, 9 and 10. If you hold data using any of these, you are bound by GDPR article 12 ("Right to Access") and are legally required to respond within the statutory 30 day period with all related information held. Note that this period begins upon receipt of this message. | |
| I would prefer this data be provided in a digital machine-readable format, preferably as a .CSV file; however, if doing so will result in a delay greater than 24 hours, please release the data in whichever format is most convenient for you. | |
| Many thanks! Have a lovely day! | |
| [ your name, signature ] |
Points to note:
- Put "GDPR Subject Access Request" as the email subject line.
- Expand all abbreviations, but also include the abbreviation; it's possible your message will be received by somebody who is in no way familiar with GDPR compliance. Assume your letter will be received by the lowest-level support worker.
- Listing the PII you know the entity already holds is important; it shows you know they are subject to GDPR and can appeal with the ICO if they don't respond appropriately. Be very specific about the data you believe they hold!
- Note that the statutory period for responses is 1 month or 30 days, and that the clock begins ticking upon receipt of your message (not, as they may later claim, upon the data where they respond acknowledging the receipt)
- Requesting the data in a particular format can be helpful so you don't get a truckload of PDF files, but it can also be used as reason by the entity to delay responding, or not at all if they feel it would be too expensive the fulfil the request. Adding a caveat that you'll accept data in another format if changing it to the preferred format will cause delay helps get around this.
- Be polite and personable, even if you believe the entity in question is up to nefarious ends — you might end up connecting with someone there who'll give you more information than you'd normally receive in response.
This is a goldmine, I can't wait to have an inbox that's not full of recruiters' emails trying to recruit me :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is ace. Recruiters, I'm coming for you!