undefined | Better HN

0 pointspheleven7y ago0 comments

I would argue there are several sections in the GDPR that appear to allow for a 3rd party to request data on behalf of the data subject. For example:

A20(2): In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

A12(3): ... Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

Even in the case it didn't work out to directly query, as another has suggested, just making it easy to fill out as many forms as possible in an automated fashion has value. Use their email to send from.

Also, how does the data subject or gdpr.me know that your company hasn't hoovered up some PII of the data subject?

I've read it several times and unless more clarity comes down on questions like this I'm quite afraid of abuse. I've read 8% of UK citizens intend to (ab)use GDPR for spiteful reasons.

EDIT:

Ok - I believe this absolutely supports my point, straight from the horse's mouth... This is from WP29-2017-4-data-portability-guidance:

"Data subjects should be enabled to make use of a personal data store, personal information management system (PIMS) or other kinds of trusted third-parties, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required."

This is immediately after saying businesses should create API's to allow data portability and GDPR requests.

0 comments

jacquesm7y ago

I don't buy that that allows you to send random requests to parties that you have no way of knowing the requester has a relationship with. That is an unreasonable burden to place on the recipient of such a request. Essentially you will be sending them on a wild goose chase which is against the intent of the law, which is to give people control over their data, not for people to harass random companies, even more so to do this in an automated way.

You can of course go and approach this from a legalistic point of view but that's usually not how things work in the EU, if you are going to split legal hairs to see how you might be able to get away with something then you will be in for a surprise.

But don't take my word for it, feel free to build and launch the service and we'll see if it flies. For $40 I'll pass :)

j / k navigate · click thread line to collapse