Jump to content

Recommended Posts

12 hours ago, belindacarson said:

Has anyone made a GDPR request yet to LL?

 

just curious as an EU user.

I know as EU user what GDPR is but what kind of request is this? Asking them to show you what kind of data they collect about you? Asking to permanently delete your data?

  • Like 1

Share this post


Link to post
Share on other sites

to see what data they have etc, I'm more curious.

 

Explanation: GDPR is an EU wide law, called General Data Protection Regulation, itt's about user data etc

Edited by belindacarson
added a note as to what the GDPR is.
  • Thanks 1

Share this post


Link to post
Share on other sites

belinda, might be an idea to have a go and find out. Then you can tell us how the process went, what worked well and what never if anything

Share this post


Link to post
Share on other sites

It had occurred to me Molly, that's why I was asking here first if anyone had already done this...........................................................................

  • Like 1

Share this post


Link to post
Share on other sites

I doubt there is any data on me, the person typing this.  I assume this is common though less so now because of Tilia.

[ETA]
How much do they charge you for each request?

 

 

Edited by Rhonda Huntress

Share this post


Link to post
Share on other sites
4 hours ago, Rhonda Huntress said:

I doubt there is any data on me, the person typing this.  I assume this is common though less so now because of Tilia.

[ETA]
How much do they charge you for each request?

 

 

I don't think they can charge. 

The Knowledgebase simply says to submit a Support ticket.  Nothing on that page or the referenced Privacy info mentions any fees.

https://community.secondlife.com/knowledgebase/english/general-data-protection-regulation-gdpr-r1474/

https://www.lindenlab.com/privacy#privacy5

  • Thanks 3

Share this post


Link to post
Share on other sites

GDPR places no specific requirement on the data subject as to how the request is made.

LL may *ask* you to fill in a support ticket but it's equally valid to make a verbal request (for example) to any employee at any level. Nor does any specific phase need to be used. It is a requirement that employees are suitably trained to recognise requests for a subjects data and act accordingly.

Frankly, in my view, this is the most ridiculously unworkable methodology created but that's how it is.

However, if you have a particular loathing for an organisation, it's definitely a route rich in entertainment.

GDPR has certainly enabled some benefits. Banks try to charge for old statement reissue. No problem, ask for all your data. Bingo, old statement data.

Fancy some free USB sticks? No problem, just make some requests to include CCTV footage. I highly recommend doing this at airports you may visit, I like to think of it as job creation for CCTV footage review operators as well as keep their identification skills fresh.

What can I say but "Thanks Heathrow airport!"

Share this post


Link to post
Share on other sites
2 hours ago, Bradford Mint said:

GDPR places no specific requirement on the data subject as to how the request is made.

LL may *ask* you to fill in a support ticket but it's equally valid to make a verbal request (for example) to any employee at any level. Nor does any specific phase need to be used. It is a requirement that employees are suitably trained to recognise requests for a subjects data and act accordingly.

Frankly, in my view, this is the most ridiculously unworkable methodology created but that's how it is.

a person works as a waiter in a hotel restaurant.  A diner asks the waiter to disclose to them any information the hotel may have on them (the diner)

the waiter replies: Talk to reception please

diner goes to reception and asks the receptionist.  The receptionist replies: The only information I have access to, is your name and your room number. I have no authority to view any further information about you.  Please fill in the request form and I will forward it to my supervisor

this is the methodology all companies use.  They use this because of the privacy considerations for the diner. Staff only get access to the diner's information which is strictly relevant for the staff to do their job and no more

  • Like 1

Share this post


Link to post
Share on other sites

You misunderstand the GDPR wording and don't seem to have made any requests?

It doesn't state that the first person you ask has to be the person who responds, only that the data subject may position the request to anyone. It is not acceptable under GDPR to only respond by instructing the data subject to a specific entity, not to use a particular form, regardless of how the organisation processes the request internally.

In your example, the waiter would need to inform an appropriate person internally who may follow up.

It's quite simple, the articles defining GDPR are easy enough to read.

Share this post


Link to post
Share on other sites
5 hours ago, Bradford Mint said:

...GDPR has certainly enabled some benefits. Banks try to charge for old statement reissue. No problem, ask for all your data. Bingo, old statement data.

Fancy some free USB sticks? No problem, just make some requests to include CCTV footage. I highly recommend doing this at airports you may visit, I like to think of it as job creation for CCTV footage review operators as well as keep their identification skills fresh.

What can I say but "Thanks Heathrow airport!"

Really!?  This could be interesting...would this mean that if I asked LL for "all data" on me, they'd have to include their chat and IM logs? 

Of course, I'm not in the EU, so GDPR doesn't apply to me.  But I mean, if I was?

Share this post


Link to post
Share on other sites
46 minutes ago, Lindal Kidd said:

Really!?  This could be interesting...would this mean that if I asked LL for "all data" on me, they'd have to include their chat and IM logs? 

Of course, I'm not in the EU, so GDPR doesn't apply to me.  But I mean, if I was?

GDPR only applies to natural persons, I wouldn't expect an avatar chat log to be considered as data, however, some people want to believe it's aggregate data that can be related to a natural person but this is only the case IF you're LL with access to the databases.

Probably one for a legal challenge to interpret accordingly.

I'm not going to ask LL though, I don't harbour hateful tendencies in their direction. Those are where my requests go and usually in a deliberately obtuse way to cause the maximum disruptive effort. Example, a UK parking company that basically operates a racket, complete scum.

In the UK, a person can expect to be captured on at least 30 CCTV systems PER DAY. That's not cameras, that's systems.

If only everyone would submit data requests for CCTV from car parks infected by such companies, they'd go out of business dealing with the requests instead of having capacity to issue tickets in the way that do.

One claimed, "we only have number plate ANPR, it's not CCTV". Then in the results of the request produced a bunch of full colour pictures of various cars that I own, including a data breach by including other subjects than me, yielding knowledge of that person's whereabouts at the time.

If nothing else, by removing the previous £10 cost of accessing data, it allows for some entertainment.

 

Share this post


Link to post
Share on other sites
40 minutes ago, Bradford Mint said:

You misunderstand the GDPR wording and don't seem to have made any requests?

It doesn't state that the first person you ask has to be the person who responds, only that the data subject may position the request to anyone

 

 

article 15 Clause 1 of the GDPR begins: "The data subject shall have the right to obtain from the controller ...".  Clause 3 begins: "The controller shall provide a copy of the personal data...

you are the data subject, the controller is the company. The GDPR does not dictate to the controller which of its employees are required to deal with GDPR requests. The company designates which of its employees perform what duties

along with taking your dinner order, the waiter is not required by the regulation to take your GDPR order and pass it on to their employer. What the waiter will do is direct you to reception, in accordance with their employer's customer relations policy. Which is all the employee is required to do

a FYI. In the absence of a legal requirement then there is no legal requirement. We can't take the absence of something and interpret it to be the opposite, not legally anyway

Share this post


Link to post
Share on other sites
3 minutes ago, Bradford Mint said:

I know :)

i know you know

what I want to know is where in the regulation does it say that your waiter (being any employee as you contend) is required to take your GDPR order

Edited by Mollymews
typo

Share this post


Link to post
Share on other sites

It doesn't, that's the fun part!

Here's the take on this from the UK Information Commissioner's Office, the dept responsible for enforcing GDPR, as enacted by "Data Protection Act 2018". I hope that we can agree that their opinion trumps yours?

It's made quite clear:-

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

"How do we recognise a request?

The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly."

Share this post


Link to post
Share on other sites
2 minutes ago, Bradford Mint said:

This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly."

the waiter will handle it accordingly by referring you the diner to reception. The receptionist will handle it accordingly by referring you to their supervisor

Share this post


Link to post
Share on other sites
4 minutes ago, Mollymews said:

the waiter will handle it accordingly by referring you the diner to reception. The receptionist will handle it accordingly by referring you to their supervisor

Nope, not how it works. I did ask if you've gone through this process or not?

I have, numerous times.

More fun to be had when the organisation points you to their form to fill in, the form itself must state on it that there's no requirement to use the form.

Been there done that, got a wardrobe of t shirts.

 

Share this post


Link to post
Share on other sites
5 minutes ago, Bradford Mint said:

Nope, not how it works. I did ask if you've gone through this process or not?

I have, numerous times.

More fun to be had when the organisation points you to their form to fill in, the form itself must state on it that there's no requirement to use the form.

Been there done that, got a wardrobe of t shirts.

 

companies have customer relations policies that their employees follow as they have to or they will lose their job. So most waiters and receptionists put in these situations just smile and tell you what they can. If you the customer makes a fuss then they call the maitre-d, or the manager, and  let them deal with it

no waiter has ever given you what you wanted. Their boss might have though, their boss being a person designated by the company (controller) to action your request

  • Like 1

Share this post


Link to post
Share on other sites
1 hour ago, Bradford Mint said:

"This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly."

The challenge here is that all of your employees must be made aware of GDPR so that they can recognize when a request is being made. "Handling it accordingly" can mean "bringing the request up the chain so someone can actually fulfill the request." If they fail to recognize the GDPR request, they'll ignore it without telling anybody, which is an illegal outcome.

It does not imply that all of your employees must be able to access that personal data. That's just a security breach begging to happen.

Edited by Wulfie Reanimator
  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...