The request themselfs are legit. E.g request 8 is aiming at the ISO 27001 which state that the information policy is to made public to stakeholders.
Request 9b is a bit tricky since the regulator have to be informed but not per se the data subject. Only if there is a risk for the data subject they have to be informed.
The letter is carefully worded itself. The parts the data subject does not have a direct right to know are friendly request (eg 4 vs 8b).
You can answer 8b just with one word: Yes. (Well or No)
The takeaway here:
If you give this letter to you technical personal you will get a detailed overview of the infrastructure they use.
If you give the same letter to your lawyer you would get a very polite letter with the bare minimum of information.
Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"
This language refers to the specific grounds established by chapter 5 of the GDPR under which transfer is allowed.
The data subject is expecting you to point at the specific clause that provides legal grounds in your case.
> Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"
Arguably, such technology doesn’t exist (at least when plugged into a computer network). What penalties are in place if you lie in the response?
I'd expect "with reasonable certainty" to mean something different to pedantic lawyers/regulators than to pedantic cryptographers. Although perhaps an actual lawyer might suggest another phrase there, like "industry-standard measures" or something.
Yeah I think a lawyer would write something even more nebulous... We minimized the risk according with our assessment with industry standard measures in accordance with our threat model to a reasonable level of safety as defined in the international standards taking in account user experience and the requirements of our partners all in accordance with local and EU law...
Such technology can't exist, because it is fundamentally trying to prove a negative.
There are technologies you can use (with varying degrees of effectiveness) to reduce the risk of data leaking by monitoring or intercepting specific mechanisms through which leaks can occur, but you can never have reasonable certainty in this respect.
Yes and no. That is the kind of measure that can help, but it's going to be very difficult to keep all relevant data within such a tightly controlled environment.
At some point you will probably need to work with the real data to do anything useful with it. There are situations where you really can operate on obfuscated/encrypted data, such as comparing password hashes, but these tend to be the exception rather than the rule.
And so, if you're compromised at a point with access to the raw data, or anywhere else from which access to such a point can be gained, you've still lost control of the data.
I am not Sure what penalties there are for lying. I bet it's expensive ;)
And with lawyers and words I like to think of this quote:
"It depends on what the meaning of the word 'is' is. If the--if he--if 'is' means is and never has been, that is not--that is one thing. If it means there is none, that was a completely true statement....Now, if someone had asked me on that day, are you having any kind of sexual relations with Ms. Lewinsky, that is, asked me a question in the present tense, I would have said no. And it would have been completely true."
Request 9b is a bit tricky since the regulator have to be informed but not per se the data subject. Only if there is a risk for the data subject they have to be informed.
The letter is carefully worded itself. The parts the data subject does not have a direct right to know are friendly request (eg 4 vs 8b).
You can answer 8b just with one word: Yes. (Well or No)
The takeaway here:
If you give this letter to you technical personal you will get a detailed overview of the infrastructure they use.
If you give the same letter to your lawyer you would get a very polite letter with the bare minimum of information.
Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"