belindacarson Posted September 12, 2019 Share Posted September 12, 2019 Has anyone made a GDPR request yet to LL? just curious as an EU user. Link to comment Share on other sites More sharing options...
Saskia Rieko Posted September 13, 2019 Share Posted September 13, 2019 12 hours ago, belindacarson said: Has anyone made a GDPR request yet to LL? just curious as an EU user. I know as EU user what GDPR is but what kind of request is this? Asking them to show you what kind of data they collect about you? Asking to permanently delete your data? 1 Link to comment Share on other sites More sharing options...
belindacarson Posted September 13, 2019 Author Share Posted September 13, 2019 (edited) to see what data they have etc, I'm more curious. Explanation: GDPR is an EU wide law, called General Data Protection Regulation, itt's about user data etc Edited September 13, 2019 by belindacarson added a note as to what the GDPR is. 1 Link to comment Share on other sites More sharing options...
Mollymews Posted September 13, 2019 Share Posted September 13, 2019 belinda, might be an idea to have a go and find out. Then you can tell us how the process went, what worked well and what never if anything Link to comment Share on other sites More sharing options...
belindacarson Posted September 13, 2019 Author Share Posted September 13, 2019 It had occurred to me Molly, that's why I was asking here first if anyone had already done this........................................................................... 1 Link to comment Share on other sites More sharing options...
Rhonda Huntress Posted September 13, 2019 Share Posted September 13, 2019 (edited) I doubt there is any data on me, the person typing this. I assume this is common though less so now because of Tilia. [ETA] How much do they charge you for each request? Edited September 13, 2019 by Rhonda Huntress Link to comment Share on other sites More sharing options...
Kyrah Abattoir Posted September 13, 2019 Share Posted September 13, 2019 9 hours ago, belindacarson said: to see what data they have etc, I'm more curious. What you gave them really. Link to comment Share on other sites More sharing options...
LittleMe Jewell Posted September 13, 2019 Share Posted September 13, 2019 4 hours ago, Rhonda Huntress said: I doubt there is any data on me, the person typing this. I assume this is common though less so now because of Tilia. [ETA] How much do they charge you for each request? I don't think they can charge. The Knowledgebase simply says to submit a Support ticket. Nothing on that page or the referenced Privacy info mentions any fees. https://community.secondlife.com/knowledgebase/english/general-data-protection-regulation-gdpr-r1474/ https://www.lindenlab.com/privacy#privacy5 3 Link to comment Share on other sites More sharing options...
Bradford Mint Posted September 14, 2019 Share Posted September 14, 2019 GDPR places no specific requirement on the data subject as to how the request is made. LL may *ask* you to fill in a support ticket but it's equally valid to make a verbal request (for example) to any employee at any level. Nor does any specific phase need to be used. It is a requirement that employees are suitably trained to recognise requests for a subjects data and act accordingly. Frankly, in my view, this is the most ridiculously unworkable methodology created but that's how it is. However, if you have a particular loathing for an organisation, it's definitely a route rich in entertainment. GDPR has certainly enabled some benefits. Banks try to charge for old statement reissue. No problem, ask for all your data. Bingo, old statement data. Fancy some free USB sticks? No problem, just make some requests to include CCTV footage. I highly recommend doing this at airports you may visit, I like to think of it as job creation for CCTV footage review operators as well as keep their identification skills fresh. What can I say but "Thanks Heathrow airport!" Link to comment Share on other sites More sharing options...
Mollymews Posted September 14, 2019 Share Posted September 14, 2019 2 hours ago, Bradford Mint said: GDPR places no specific requirement on the data subject as to how the request is made. LL may *ask* you to fill in a support ticket but it's equally valid to make a verbal request (for example) to any employee at any level. Nor does any specific phase need to be used. It is a requirement that employees are suitably trained to recognise requests for a subjects data and act accordingly. Frankly, in my view, this is the most ridiculously unworkable methodology created but that's how it is. a person works as a waiter in a hotel restaurant. A diner asks the waiter to disclose to them any information the hotel may have on them (the diner) the waiter replies: Talk to reception please diner goes to reception and asks the receptionist. The receptionist replies: The only information I have access to, is your name and your room number. I have no authority to view any further information about you. Please fill in the request form and I will forward it to my supervisor this is the methodology all companies use. They use this because of the privacy considerations for the diner. Staff only get access to the diner's information which is strictly relevant for the staff to do their job and no more 2 Link to comment Share on other sites More sharing options...
Bradford Mint Posted September 14, 2019 Share Posted September 14, 2019 You misunderstand the GDPR wording and don't seem to have made any requests? It doesn't state that the first person you ask has to be the person who responds, only that the data subject may position the request to anyone. It is not acceptable under GDPR to only respond by instructing the data subject to a specific entity, not to use a particular form, regardless of how the organisation processes the request internally. In your example, the waiter would need to inform an appropriate person internally who may follow up. It's quite simple, the articles defining GDPR are easy enough to read. Link to comment Share on other sites More sharing options...
Lindal Kidd Posted September 14, 2019 Share Posted September 14, 2019 5 hours ago, Bradford Mint said: ...GDPR has certainly enabled some benefits. Banks try to charge for old statement reissue. No problem, ask for all your data. Bingo, old statement data. Fancy some free USB sticks? No problem, just make some requests to include CCTV footage. I highly recommend doing this at airports you may visit, I like to think of it as job creation for CCTV footage review operators as well as keep their identification skills fresh. What can I say but "Thanks Heathrow airport!" Really!? This could be interesting...would this mean that if I asked LL for "all data" on me, they'd have to include their chat and IM logs? Of course, I'm not in the EU, so GDPR doesn't apply to me. But I mean, if I was? Link to comment Share on other sites More sharing options...
belindacarson Posted September 14, 2019 Author Share Posted September 14, 2019 This is why I was asking if anyone had already made such a request................. Link to comment Share on other sites More sharing options...
Bradford Mint Posted September 14, 2019 Share Posted September 14, 2019 46 minutes ago, Lindal Kidd said: Really!? This could be interesting...would this mean that if I asked LL for "all data" on me, they'd have to include their chat and IM logs? Of course, I'm not in the EU, so GDPR doesn't apply to me. But I mean, if I was? GDPR only applies to natural persons, I wouldn't expect an avatar chat log to be considered as data, however, some people want to believe it's aggregate data that can be related to a natural person but this is only the case IF you're LL with access to the databases. Probably one for a legal challenge to interpret accordingly. I'm not going to ask LL though, I don't harbour hateful tendencies in their direction. Those are where my requests go and usually in a deliberately obtuse way to cause the maximum disruptive effort. Example, a UK parking company that basically operates a racket, complete scum. In the UK, a person can expect to be captured on at least 30 CCTV systems PER DAY. That's not cameras, that's systems. If only everyone would submit data requests for CCTV from car parks infected by such companies, they'd go out of business dealing with the requests instead of having capacity to issue tickets in the way that do. One claimed, "we only have number plate ANPR, it's not CCTV". Then in the results of the request produced a bunch of full colour pictures of various cars that I own, including a data breach by including other subjects than me, yielding knowledge of that person's whereabouts at the time. If nothing else, by removing the previous £10 cost of accessing data, it allows for some entertainment. Link to comment Share on other sites More sharing options...
Mollymews Posted September 14, 2019 Share Posted September 14, 2019 40 minutes ago, Bradford Mint said: You misunderstand the GDPR wording and don't seem to have made any requests? It doesn't state that the first person you ask has to be the person who responds, only that the data subject may position the request to anyone article 15 Clause 1 of the GDPR begins: "The data subject shall have the right to obtain from the controller ...". Clause 3 begins: "The controller shall provide a copy of the personal data... you are the data subject, the controller is the company. The GDPR does not dictate to the controller which of its employees are required to deal with GDPR requests. The company designates which of its employees perform what duties along with taking your dinner order, the waiter is not required by the regulation to take your GDPR order and pass it on to their employer. What the waiter will do is direct you to reception, in accordance with their employer's customer relations policy. Which is all the employee is required to do a FYI. In the absence of a legal requirement then there is no legal requirement. We can't take the absence of something and interpret it to be the opposite, not legally anyway Link to comment Share on other sites More sharing options...
Bradford Mint Posted September 14, 2019 Share Posted September 14, 2019 Top tip: read the rest of the articles before arriving at the wrong conclusion. Link to comment Share on other sites More sharing options...
Mollymews Posted September 14, 2019 Share Posted September 14, 2019 (edited) 8 minutes ago, Bradford Mint said: Top tip: read the rest of the articles before arriving at the wrong conclusion. the regulation is here: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1568475755000&uri=CELEX:32016R0679 ps. please quote the part of the regulation that supports your contention Edited September 14, 2019 by Mollymews Link to comment Share on other sites More sharing options...
Bradford Mint Posted September 14, 2019 Share Posted September 14, 2019 1 minute ago, Mollymews said: the regulation is here: https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1568475755000&uri=CELEX:32016R0679 I know Link to comment Share on other sites More sharing options...
Mollymews Posted September 14, 2019 Share Posted September 14, 2019 (edited) 3 minutes ago, Bradford Mint said: I know i know you know what I want to know is where in the regulation does it say that your waiter (being any employee as you contend) is required to take your GDPR order Edited September 14, 2019 by Mollymews typo Link to comment Share on other sites More sharing options...
Bradford Mint Posted September 14, 2019 Share Posted September 14, 2019 It doesn't, that's the fun part! Here's the take on this from the UK Information Commissioner's Office, the dept responsible for enforcing GDPR, as enacted by "Data Protection Act 2018". I hope that we can agree that their opinion trumps yours? It's made quite clear:- https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ "How do we recognise a request? The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data. This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly." Link to comment Share on other sites More sharing options...
Mollymews Posted September 14, 2019 Share Posted September 14, 2019 2 minutes ago, Bradford Mint said: This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly." the waiter will handle it accordingly by referring you the diner to reception. The receptionist will handle it accordingly by referring you to their supervisor Link to comment Share on other sites More sharing options...
Lindal Kidd Posted September 14, 2019 Share Posted September 14, 2019 Heh...now I see why you guys are Brexiting. 3 Link to comment Share on other sites More sharing options...
Bradford Mint Posted September 14, 2019 Share Posted September 14, 2019 4 minutes ago, Mollymews said: the waiter will handle it accordingly by referring you the diner to reception. The receptionist will handle it accordingly by referring you to their supervisor Nope, not how it works. I did ask if you've gone through this process or not? I have, numerous times. More fun to be had when the organisation points you to their form to fill in, the form itself must state on it that there's no requirement to use the form. Been there done that, got a wardrobe of t shirts. Link to comment Share on other sites More sharing options...
Mollymews Posted September 14, 2019 Share Posted September 14, 2019 5 minutes ago, Bradford Mint said: Nope, not how it works. I did ask if you've gone through this process or not? I have, numerous times. More fun to be had when the organisation points you to their form to fill in, the form itself must state on it that there's no requirement to use the form. Been there done that, got a wardrobe of t shirts. companies have customer relations policies that their employees follow as they have to or they will lose their job. So most waiters and receptionists put in these situations just smile and tell you what they can. If you the customer makes a fuss then they call the maitre-d, or the manager, and let them deal with it no waiter has ever given you what you wanted. Their boss might have though, their boss being a person designated by the company (controller) to action your request 1 Link to comment Share on other sites More sharing options...
Wulfie Reanimator Posted September 14, 2019 Share Posted September 14, 2019 (edited) 1 hour ago, Bradford Mint said: "This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly." The challenge here is that all of your employees must be made aware of GDPR so that they can recognize when a request is being made. "Handling it accordingly" can mean "bringing the request up the chain so someone can actually fulfill the request." If they fail to recognize the GDPR request, they'll ignore it without telling anybody, which is an illegal outcome. It does not imply that all of your employees must be able to access that personal data. That's just a security breach begging to happen. Edited September 14, 2019 by Wulfie Reanimator 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now