Jump to content

GDPR requests

belindacarson

By belindacarson,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 1645 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Saskia Rieko

Saskia Rieko

Posted
Posted
12 hours ago, belindacarson said:

Has anyone made a GDPR request yet to LL?

 

just curious as an EU user.

I know as EU user what GDPR is but what kind of request is this? Asking them to show you what kind of data they collect about you? Asking to permanently delete your data?

  • Like 1
Link to comment
Share on other sites
LittleMe Jewell

LittleMe Jewell

Posted
Posted
4 hours ago, Rhonda Huntress said:

I doubt there is any data on me, the person typing this.  I assume this is common though less so now because of Tilia.

[ETA]
How much do they charge you for each request?

 

 

I don't think they can charge. 

The Knowledgebase simply says to submit a Support ticket.  Nothing on that page or the referenced Privacy info mentions any fees.

https://community.secondlife.com/knowledgebase/english/general-data-protection-regulation-gdpr-r1474/

https://www.lindenlab.com/privacy#privacy5

  • Thanks 3
Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted

GDPR places no specific requirement on the data subject as to how the request is made.

LL may *ask* you to fill in a support ticket but it's equally valid to make a verbal request (for example) to any employee at any level. Nor does any specific phase need to be used. It is a requirement that employees are suitably trained to recognise requests for a subjects data and act accordingly.

Frankly, in my view, this is the most ridiculously unworkable methodology created but that's how it is.

However, if you have a particular loathing for an organisation, it's definitely a route rich in entertainment.

GDPR has certainly enabled some benefits. Banks try to charge for old statement reissue. No problem, ask for all your data. Bingo, old statement data.

Fancy some free USB sticks? No problem, just make some requests to include CCTV footage. I highly recommend doing this at airports you may visit, I like to think of it as job creation for CCTV footage review operators as well as keep their identification skills fresh.

What can I say but "Thanks Heathrow airport!"

Link to comment
Share on other sites
Mollymews

Mollymews

Posted
Posted
2 hours ago, Bradford Mint said:

GDPR places no specific requirement on the data subject as to how the request is made.

LL may *ask* you to fill in a support ticket but it's equally valid to make a verbal request (for example) to any employee at any level. Nor does any specific phase need to be used. It is a requirement that employees are suitably trained to recognise requests for a subjects data and act accordingly.

Frankly, in my view, this is the most ridiculously unworkable methodology created but that's how it is.

a person works as a waiter in a hotel restaurant.  A diner asks the waiter to disclose to them any information the hotel may have on them (the diner)

the waiter replies: Talk to reception please

diner goes to reception and asks the receptionist.  The receptionist replies: The only information I have access to, is your name and your room number. I have no authority to view any further information about you.  Please fill in the request form and I will forward it to my supervisor

this is the methodology all companies use.  They use this because of the privacy considerations for the diner. Staff only get access to the diner's information which is strictly relevant for the staff to do their job and no more

  • Like 2
Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted

You misunderstand the GDPR wording and don't seem to have made any requests?

It doesn't state that the first person you ask has to be the person who responds, only that the data subject may position the request to anyone. It is not acceptable under GDPR to only respond by instructing the data subject to a specific entity, not to use a particular form, regardless of how the organisation processes the request internally.

In your example, the waiter would need to inform an appropriate person internally who may follow up.

It's quite simple, the articles defining GDPR are easy enough to read.

Link to comment
Share on other sites
Lindal Kidd

Lindal Kidd

Posted
Posted
5 hours ago, Bradford Mint said:

...GDPR has certainly enabled some benefits. Banks try to charge for old statement reissue. No problem, ask for all your data. Bingo, old statement data.

Fancy some free USB sticks? No problem, just make some requests to include CCTV footage. I highly recommend doing this at airports you may visit, I like to think of it as job creation for CCTV footage review operators as well as keep their identification skills fresh.

What can I say but "Thanks Heathrow airport!"

Really!?  This could be interesting...would this mean that if I asked LL for "all data" on me, they'd have to include their chat and IM logs? 

Of course, I'm not in the EU, so GDPR doesn't apply to me.  But I mean, if I was?

Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted
46 minutes ago, Lindal Kidd said:

Really!?  This could be interesting...would this mean that if I asked LL for "all data" on me, they'd have to include their chat and IM logs? 

Of course, I'm not in the EU, so GDPR doesn't apply to me.  But I mean, if I was?

GDPR only applies to natural persons, I wouldn't expect an avatar chat log to be considered as data, however, some people want to believe it's aggregate data that can be related to a natural person but this is only the case IF you're LL with access to the databases.

Probably one for a legal challenge to interpret accordingly.

I'm not going to ask LL though, I don't harbour hateful tendencies in their direction. Those are where my requests go and usually in a deliberately obtuse way to cause the maximum disruptive effort. Example, a UK parking company that basically operates a racket, complete scum.

In the UK, a person can expect to be captured on at least 30 CCTV systems PER DAY. That's not cameras, that's systems.

If only everyone would submit data requests for CCTV from car parks infected by such companies, they'd go out of business dealing with the requests instead of having capacity to issue tickets in the way that do.

One claimed, "we only have number plate ANPR, it's not CCTV". Then in the results of the request produced a bunch of full colour pictures of various cars that I own, including a data breach by including other subjects than me, yielding knowledge of that person's whereabouts at the time.

If nothing else, by removing the previous £10 cost of accessing data, it allows for some entertainment.

 

Link to comment
Share on other sites
Mollymews

Mollymews

Posted
Posted
40 minutes ago, Bradford Mint said:

You misunderstand the GDPR wording and don't seem to have made any requests?

It doesn't state that the first person you ask has to be the person who responds, only that the data subject may position the request to anyone

 

 

article 15 Clause 1 of the GDPR begins: "The data subject shall have the right to obtain from the controller ...".  Clause 3 begins: "The controller shall provide a copy of the personal data...

you are the data subject, the controller is the company. The GDPR does not dictate to the controller which of its employees are required to deal with GDPR requests. The company designates which of its employees perform what duties

along with taking your dinner order, the waiter is not required by the regulation to take your GDPR order and pass it on to their employer. What the waiter will do is direct you to reception, in accordance with their employer's customer relations policy. Which is all the employee is required to do

a FYI. In the absence of a legal requirement then there is no legal requirement. We can't take the absence of something and interpret it to be the opposite, not legally anyway

Link to comment
Share on other sites
Mollymews

Mollymews

Posted
Posted (edited)
8 minutes ago, Bradford Mint said:

Top tip: read the rest of the articles before arriving at the wrong conclusion.

the regulation is here:  https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1568475755000&uri=CELEX:32016R0679

 

ps. please quote the part of the regulation that supports your contention

Edited by Mollymews
Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted

It doesn't, that's the fun part!

Here's the take on this from the UK Information Commissioner's Office, the dept responsible for enforcing GDPR, as enacted by "Data Protection Act 2018". I hope that we can agree that their opinion trumps yours?

It's made quite clear:-

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

"How do we recognise a request?

The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly."

Link to comment
Share on other sites
Mollymews

Mollymews

Posted
Posted
2 minutes ago, Bradford Mint said:

This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly."

the waiter will handle it accordingly by referring you the diner to reception. The receptionist will handle it accordingly by referring you to their supervisor

Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted
4 minutes ago, Mollymews said:

the waiter will handle it accordingly by referring you the diner to reception. The receptionist will handle it accordingly by referring you to their supervisor

Nope, not how it works. I did ask if you've gone through this process or not?

I have, numerous times.

More fun to be had when the organisation points you to their form to fill in, the form itself must state on it that there's no requirement to use the form.

Been there done that, got a wardrobe of t shirts.

 

Link to comment
Share on other sites
Mollymews

Mollymews

Posted
Posted
5 minutes ago, Bradford Mint said:

Nope, not how it works. I did ask if you've gone through this process or not?

I have, numerous times.

More fun to be had when the organisation points you to their form to fill in, the form itself must state on it that there's no requirement to use the form.

Been there done that, got a wardrobe of t shirts.

 

companies have customer relations policies that their employees follow as they have to or they will lose their job. So most waiters and receptionists put in these situations just smile and tell you what they can. If you the customer makes a fuss then they call the maitre-d, or the manager, and  let them deal with it

no waiter has ever given you what you wanted. Their boss might have though, their boss being a person designated by the company (controller) to action your request

  • Like 1
Link to comment
Share on other sites
Wulfie Reanimator

Wulfie Reanimator

Posted
Posted (edited)
1 hour ago, Bradford Mint said:

"This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly."

The challenge here is that all of your employees must be made aware of GDPR so that they can recognize when a request is being made. "Handling it accordingly" can mean "bringing the request up the chain so someone can actually fulfill the request." If they fail to recognize the GDPR request, they'll ignore it without telling anybody, which is an illegal outcome.

It does not imply that all of your employees must be able to access that personal data. That's just a security breach begging to happen.

Edited by Wulfie Reanimator
  • Like 1
Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 1645 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...