GDPR requests

[Kyrah Abattoir]

You know it almost seems like some of the people in this topic want to use the GDPR just as a way to be annoying and a waste of time for businesses...

[Rhonda Huntress]

I did find this about fees.

3. Dealing with excessive requests

You cannot ordinarily charge a fee for complying with a DSAR – the £10 fee under the DPA 1998 has been scrapped. However, if a DSAR is “manifestly unfounded or excessive” you are able to:

1. charge a “reasonable” fee to comply with the DSAR; or
2. refuse to deal with the request at all (GDPR Article 12(5)).

 

So who gets to say the request is unfounded?  And just how much is reasonable?

[Bradford Mint]

1 hour ago, Kyrah Abattoir said:

You know it almost seems like some of the people in this topic want to use the GDPR just as a way to be annoying and a waste of time for businesses...

No I don't think there's any need to be obtuse and say "some people", you can direct it straight to me, that's no problem and yes, when some companies play fast and loose with rules, they earn the response.

Edited September 14, 2019 by Bradford Mint

[Bradford Mint]

1 hour ago, Rhonda Huntress said:

I did find this about fees.

3. Dealing with excessive requests

You cannot ordinarily charge a fee for complying with a DSAR – the £10 fee under the DPA 1998 has been scrapped. However, if a DSAR is “manifestly unfounded or excessive” you are able to:

1. charge a “reasonable” fee to comply with the DSAR; or
2. refuse to deal with the request at all (GDPR Article 12(5)).

 

So who gets to say the request is unfounded?  And just how much is reasonable?

Yup and if you ask a car park operator who captures your car in the street and you have that data removed but then they keep capturing it because you drive down that street regularly, why should a data subject who has no contact with them, only be permitted to check ONCE and thereafter have to pay?

[Bradford Mint]

1 hour ago, Wulfie Reanimator said:

The challenge here is that all of your employees must be made aware of GDPR so that they can recognize when a request is being made. "Handling it accordingly" can mean "bringing the request up the chain so someone can actually fulfill the request." If they fail to recognize the GDPR request, they'll ignore it without telling anybody, which is an illegal outcome.

It does not imply that all of your employees must be able to access that personal data. That's just a security breach begging to happen.

Correct and that's why I originally said I think this part is ridiculous. It doesn't help anyone to have such vague processes.

[Bradford Mint]

13 hours ago, Kyrah Abattoir said:

I must have missed an episode there, wasn't this a topic to get some free USB sticks?

No, the topic still says "GDPR requests".  If a request is made to an organisation for such data that could not be sent via post and where they have not thought ahead and provided a publicly accessible portal, their options are limited in how they supply that information, one of them being USB sticks.

In the case of a handful of organisations that have earned my venom, then absolutely, GDPR provides a vehicle to waste their time.  The particular organisations that I refer to are ones with whom they have chosen to destroy any good will and are far from a normal supplier/customer relationship and many orders of magnitude beyond just being an unhappy customer, however, the specifics are irrelevant here.

Given that this was already stated much earlier, I strongly suspect anyone else reading my musings could have come to the conclusion that my question "Fancy some free USB sticks?" would have been somewhat tongue in cheek.

I wholeheartedly apologise for not being blindingly obvious in my prose but rest assured, I shall continue in just the same way.

[Bradford Mint]

21 hours ago, belindacarson said:

This is why I was asking if anyone had already made such a request.................

Ok Belinda so you are hereby nominated as the guinea pig!

You could start by making a forum post, or one on Twitter for giggles.  I'm sure they'd not spot it.  If you do choose to submit a support ticket (or just an email), their next course of action will be to request from you, such evidence (and only sufficient) in order to identify you as a natural person.

This is where it gets potentially interesting because if someone has signed up as a basic user, has no payment info on file, or any other documented identity information, it's pretty difficult to bind "bobjonessexyavatar" to a natural person and there the request would end.

Thus the natural person making the request would need to be making a request on the basis that they could actually be identified.

Further, an earlier response from Kyrah was accurate, the information that LL has is going to be what we give them.  The bigger question that Lindal asked though would be interesting to find out, which is how they consider avatar information and whether it's data about the natural person and if so is chat log included?

Finally, out of pure coincidence, as I was typing this, the following arrived in my email:-

GDPR: Your Actual Questions Answered - no presentation, open mic Q&A (It's a session hosted by BrightTalk, just in case the link doesn't post or work)

Edited September 15, 2019 by Bradford Mint

[Kyrah Abattoir]

1 hour ago, Bradford Mint said:

Further, an earlier response from Kyrah was accurate, the information that LL has is going to be what we give them.  The bigger question that Lindal asked though would be interesting to find out, which is how they consider avatar information and whether it's data about the natural person and if so is chat log included?

Didn't LL state somewhere that your SL account remains their property?

[Bradford Mint]

24 minutes ago, Kyrah Abattoir said:

Didn't LL state somewhere that your SL account remains their property?

Probably, dunno, can't remember but in all honesty, I would be surprised if a SAR resulted in anything other than provided RL info but could also include conversations in both written and verbal form (if the call was recorded) with any employees about avatars, where the RL person was identified at the time.

We'll know after Belinda has a go.

[Wulfie Reanimator]

On 9/13/2019 at 12:42 AM, belindacarson said:

Has anyone made a GDPR request yet to LL?

just curious as an EU user.

It took a while, but I did and here we are, again.

I made a very casual support ticket under "Account Issues - GDPR Request":

Quote

I am an EU citizen and I would like to see my data, thank you.

Then I was asked to verify my ownership of the account by giving my security answer and a couple other things.

Then I waited from Sept 19 until Oct 11 before I was given a time-expiring link to a file containing information about me in the JSON file-format.

This file is one line, 22322 characters long, but it's easy to automatically format with a text editor. (I wouldn't recommend an online formatter because you know... personal data.)

• The first section is about my account.
  • Username (Wulfie)
  • A record of all of my IP/MAC addresses from 2009 to 2019, HDD serial, and access times.
  • Last name (Reanimator)
  • Agent ID (779e1d56-5500-4e22-940a-cd7b5adddbe0)
  • Display Name (Legacy.Name)
  • Email address
• The second part is about "the customer."
  • Billing address history
    • Date and time
    • First and last name
    • Country, state, city, ZIP/postal code, house number, apartment number, and the address you filled in in the input field.
      • It should be noted that most of this information was just flat-out missing.
      • They got my name, country, city, and input right.
  • Your security questions/answers
    • Date created, date updated, the question and answer themselves
  • Registration date
  • First and last name
  • Date of birth
  • The IP address you registered from
  • Email address history
    • Current, old, and date of last update
  • Country
  • Invoices (Mine is empty, probably $US-related)
  • Payment method history
    • Active?
    • Type
    • Last 4 digits
    • Date added
  • Email (again)

It should be noted that this does not include names of alts. I don't know if this is because I haven't used the same (or any?) name for my other accounts, or because I haven't added/used the same payment info, or if they don't include them as a security-reason, or because they don't keep records of connected accounts. It's probably the last one.

On 9/15/2019 at 3:57 PM, Bradford Mint said:

The bigger question that Lindal asked though would be interesting to find out, which is how they consider avatar information and whether it's data about the natural person and if so is chat log included?

I never would've considered support tickets, abuse report cases, JIRAs, chat logs, etc. to be personal data. They only concern the account, even if the things you say in chat could be used to identify you, but you're gonna have to get an opinion from a court if you wanna argue that.

This means that if you wanted to see/delete ALL of your personal data from LL, you might have to make a separate request from each account.

Edited October 22, 2019 by Wulfie Reanimator

[Maitimo]

8 hours ago, Wulfie Reanimator said:

It should be noted that this does not include names of alts. I don't know if this is because I haven't used the same (or any?) name for my other accounts, or because I haven't added/used the same payment info, or if they don't include them as a security-reason, or because they don't keep records of connected accounts. It's probably the last one.

I never would've considered support tickets, abuse report cases, JIRAs, chat logs, etc. to be personal data. They only concern the account, even if the things you say in chat could be used to identify you, but you're gonna have to get an opinion from a court if you wanna argue that.

 

I work in a financial company that deals with GDPR and data requests every day. GDPR only covers PERSONAL DATA. The definition of personal data is "Data that can be used to identify a living individual."

As far as it relates to Linden Lab, no, you will not get your entire chatlog history, support requests, JIRAs etc, because this is data that does not identify a living individual.  If you made more than one account with the same details (name address, date of birth), you should also get a list of those alts. But it will not include any alts for which you provided no data, or different data. Wulfie, they would not have been able to provide yours because they don't have a complete address for you.

I doubt that they even keep chatlog history beyond a certain amount of time anyway.

 

Edited October 23, 2019 by Matty Luminos

[Bradford Mint]

35 minutes ago, Matty Luminos said:

I work in a financial company that deals with GDPR and data requests every day. GDPR only covers PERSONAL DATA. The definition of personal data is "Data that can be used to identify a living individual."

As far as it relates to Linden Lab, no, you will not get your entire chatlog history, support requests, JIRAs etc, because this is data that does not identify a living individual.

Not quite:-

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

"Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data."

"information that relates to" is important here.  When I requested data from a previous employer which also happened to be a large bank, I was sent all my previous bank statements which under your definition (which isn't the precise one), transactions would not be included.

It's questionable therefore as to whether chat logs for example, could constitute personal data as it could be argued that they are transactional and thus like a financial transaction "£20 paid to shop x" which is only related to me but does not by itself identify me.

Anyway, Wulfie did the legwork and we have a response.

 

[Wulfie Reanimator]

1 hour ago, Matty Luminos said:

Wulfie, they would not have been able to provide yours because they don't have a complete address for you.

There's nothing you said that I disagree with, except this part. You don't know how much data matches with this account and others, because even I don't remember what info I gave.

[bigmoe Whitfield]

The only part I can think of that I read in the past, was LL only keeps chat logs for 2 weeks and then they get dev/nulled,   while I think it would be cool to pull 12 years worth of chat logs, I'm going go out on a limb and say they do not have it at all.

[Maitimo]

1 hour ago, Wulfie Reanimator said:

There's nothing you said that I disagree with, except this part. You don't know how much data matches with this account and others, because even I don't remember what info I gave.

You said yourself in your results that most if the address info was "flat out missing". If they had it, they would have included it.

[Wulfie Reanimator]

9 hours ago, Matty Luminos said:

You said yourself in your results that most if the address info was "flat out missing". If they had it, they would have included it.

Of course. But my input field had my full address, including my apartment number, but it was not parsed into the dedicated fields.

To quote, my apartment number is "null".

I can add more specific excerpt from the file later.

Edit: Here's one object in the "Billing Address History" list. "---" is info that was filled in.

{
    "City": "---",
    "House Number": null,
    "ZIP": null,
    "Created": "---",
    "Country": "---",
    "First Name": "---",
    "State": null,
    "Phone": null,
    "Address 1": "---",
    "Address 3": null,
    "Address 2": null,
    "Apartment Number": null,
    "Last Name": "---",
    "Postcode": null
}

I should also reiterate there's multiple, almost-duplicate records of these. Not the same amount as payment method history or invoices. I don't know if this comes from me, my bank, or other companies that LL shares data with. This is what I was told in the same response as my download link:

Quote

Please note that we process information, including personal data, as explained in Section 1 of our Privacy Policy, for the purposes enumerated in Section 3 of our Privacy Policy, including as deemed necessary for the performance of any contract we have with you regarding the provisions of our products and services, and for compliance with our legal obligations. We obtain or collect data from different sources, as detailed on Section 2 of our Privacy Policy. In the event we use other companies that process data on our behalf, we share data with such companies pursuant to Section 4 of our Privacy Policy. You can find more details at https://www.lindenlab.com/privacy.

 

Edited October 23, 2019 by Wulfie Reanimator

[Lindal Kidd]

Hey, Wulfie...thanks for testing the system!  Good info.

[Maitimo]

3 hours ago, Wulfie Reanimator said:

Of course. But my input field had my full address, including my apartment number, but it was not parsed into the dedicated fields.

To quote, my apartment number is "null".

I can add more specific excerpt from the file later.

Hmm, if they don't have your apartment number parsed into the correct field, they wouldn't necessarily be able to verify if your alts belong to you or to someone else in your block. Probably they could, if a human actually went into each account and checked,  but likely its an automated process here. 

[Kyrah Abattoir]

I'll add that for the whole "I want my data removed".

It is fairly limited and exclude most informations required for running the business properly.

You can't invoke the GDPR's data removal to get unbanned from an online service for example, or to expunge their record of disciplinary actions taken against you.