add data access documents
This commit is contained in:
parent
c788735017
commit
d288f11f35
Binary file not shown.
|
@ -0,0 +1,140 @@
|
|||
**Company name**
|
||||
**Street/Address**
|
||||
**ZIP, City**
|
||||
**Country**
|
||||
|
||||
**Your name**
|
||||
**Street/Address**
|
||||
**ZIP, City**
|
||||
**Country**
|
||||
**Your email**
|
||||
**Your phone number**
|
||||
|
||||
In **City**, **Day** of **Month** **This year**
|
||||
|
||||
**Requesting access to personal data**
|
||||
|
||||
To Whom It May Concern,
|
||||
I am writing to you in your capacity as data protection officer for your company and I am making
|
||||
this request for access to my personal data pursuant to Article 15 of the Regulation (EU)
|
||||
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
|
||||
natural persons with regard to the processing of personal data and on the free movement of such
|
||||
data, and repealing Directive 95/46/EC (the “GDPR”).
|
||||
I am including a copy of documentation necessary to verify my identity.
|
||||
Please advise as to the following:
|
||||
|
||||
1. Please confirm whether or not any of my personal data is being processed. If any of
|
||||
my personal data is being processed, please provide me with the information of which
|
||||
categories of personal data are being processed.
|
||||
a. In particular, please tell me what you know about me in your information
|
||||
systems, whether or not contained in databases, and including e-mail, documents on
|
||||
your networks, or voice or other media that you may store.
|
||||
b. Additionally, please advise me in which countries my personal data is stored,
|
||||
or accessible from. In case you make use of cloud services to store or process my data,
|
||||
please include the countries in which the servers are located where my data are or were
|
||||
(in the past 12 months) stored. Should the personal data be stored on servers outside
|
||||
the EEA, please provide such information.
|
||||
c. Please provide me with a copy of, or access to, my personal data that you
|
||||
have or are processing and if possible with information regarding the exact date you
|
||||
obtained that particular data.
|
||||
|
||||
2) Please provide me with a detailed list of the specific purposes of processing of my
|
||||
personal data.
|
||||
3) Please provide a list of all third parties with whom you have (or may have) shared my
|
||||
personal data. Should these third parties further provided my personal data to another subject,
|
||||
please provide who these subjects are/were.
|
||||
a. If you cannot identify with certainty the specific third parties to whom you
|
||||
have disclosed my personal data, please provide a list of third parties to whom you may
|
||||
have disclosed my personal data.
|
||||
b. Please also identify in which jurisdictions do the third parties that you have
|
||||
identified in 1(a) above that these third parties with whom you have or may have shared
|
||||
my personal data, from which these third parties have store or can access my personal
|
||||
data or from which jurisdictions are my personal data accessed. Please also provide
|
||||
insight in the legal grounds for transferring my personal data to these jurisdictions.
|
||||
Where you have done so, or are doing so, on the basis of appropriate safeguards,
|
||||
please provide a copy.
|
||||
c. Additionally, I would like to know what appropriate safeguards pursuant to
|
||||
article 46 of GDPR that have been put in place in relation to these third parties that you
|
||||
have identified in relation to the transfer of my personal data.
|
||||
4) Please advise how long you store my personal data, and if retention is based upon
|
||||
the category of personal data, please identify how long each category is retained.
|
||||
5) If you are additionally collecting personal data about me from any source other than
|
||||
myself, please provide me with all information about their source, as referred to in Article 14 of
|
||||
the GDPR.
|
||||
6) If you are making any automated decisions about me, including profiling, whether or
|
||||
not on the basis of Article 22 of the GDPR, please provide me with information concerning the
|
||||
basis for the logic in making such automated decisions, and the significance and consequences
|
||||
of such processing.
|
||||
7) I would like to know whether or not my personal data has been disclosed
|
||||
inadvertently by your company in the past, or as a result of a security or privacy breach.
|
||||
a. If so, please advise as to the following details of each and any such breach:
|
||||
i. a general description of what occurred;
|
||||
ii. the date and time of the breach (or the best possible estimate);
|
||||
iii. the date and time the breach was discovered;
|
||||
iv. the source of the breach (either your own organization, or a third
|
||||
party to whom you have transferred my personal data);
|
||||
v. details of my personal data that was disclosed;
|
||||
vi. your company’s assessment of the risk of harm to myself, as a result
|
||||
of the breach;
|
||||
|
||||
vii. a description of the measures taken or that will be taken to prevent
|
||||
further unauthorized access to my personal data;
|
||||
viii. contact information so that I can obtain more information and
|
||||
assistance in relation to such a breach, and
|
||||
ix. information and advice on what I can do to protect myself against
|
||||
any harms, including identity theft and fraud.
|
||||
b. If you are not able to state with any certainty whether such an exposure has
|
||||
taken place, through the use of appropriate technologies, please advise what mitigating
|
||||
steps you have taken, such as
|
||||
i. Encryption of my personal data;
|
||||
ii. Data minimization strategies; or,
|
||||
iii. Anonymization or pseudonymization;
|
||||
iv. Any other means
|
||||
|
||||
8. I would like to know your information policies and standards that you follow in relation
|
||||
to the safeguarding of my personal data, such as whether you adhere to ISO27001 for
|
||||
information security, and more particularly, your practices in relation to the following:
|
||||
a. Please inform me whether you have backed up my personal data to tape,
|
||||
disk or other media, and where it is stored and how it is secured, including what steps
|
||||
you have taken to protect my personal data from loss or theft, and whether this includes
|
||||
encryption.
|
||||
b. Please also advise whether you have in place any technology which allows
|
||||
you with reasonable certainty to know whether or not my personal data has been
|
||||
disclosed, including but not limited to the following:
|
||||
i. Intrusion detection systems;
|
||||
ii. Firewall technologies;
|
||||
iii. Access and identity management technologies;
|
||||
iv. Database audit and/or security tools; or,
|
||||
v. Behavioural analysis tools, log analysis tools, or audit tools;
|
||||
9. In regards to employees and contractors, please advise as to the following:
|
||||
a. What technologies or business procedures do you have to ensure that
|
||||
individuals within your organization will be monitored to ensure that they do not
|
||||
deliberately or inadvertently disclose personal data outside your company, through
|
||||
e-mail, web-mail or instant messaging, or otherwise.
|
||||
b. Have you had had any circumstances in which employees or contractors
|
||||
have been dismissed, and/or been charged under criminal laws for accessing my
|
||||
personal data inappropriately, or if you are unable to determine this, of any customers, in
|
||||
the past twelve months.
|
||||
c. Please advise as to what training and awareness measures you have taken
|
||||
in order to ensure that employees and contractors are accessing and processing my
|
||||
personal data in conformity with the General Data Protection Regulation.
|
||||
|
||||
Finally, I would like you to be aware at the outset, that I anticipate reply to my request within one
|
||||
month as required under Article 12 GDPR, failing which I will be forwarding my inquiry with a
|
||||
letter of complaint to the relevant data protection authorities. In case you will not be able to
|
||||
respond to my request within specified date and will, under the GDPR provided measures, be
|
||||
aiming to prolong such term because of the complexity of my request, please respond to my
|
||||
questions in the maximum possible extent during the original one month term. Should you
|
||||
require any additional information from myself in order identify me as the subject of data being
|
||||
processed by you, please contact me immediately.
|
||||
|
||||
Yours Sincerely,
|
||||
..............................
|
||||
|
||||
**Personal identification information**
|
||||
Temporary residence: **fill the information \*optional**
|
||||
Permanent residence: **fill the information \*optional**
|
||||
Personal identification number (Birth number): **fill the information \*optional**
|
||||
Date of birth: **fill the information \*optional**
|
||||
ID number: **fill the information \*optional**
|
||||
Passport number: **fill the information \*optional**
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue