Creating a GDPR Subject Access Request letter that's not a nightmare

So in the past months The Nightmare Letter made headlines all over the tech industry and beyond. It’s a scary yet amazing example of what level scrutiny corporations can be put under in the name of EU General Data Protection Regulation law. Amazing because it goes to show the amount of control users from the EU now have over their data, and the general GDPR anxiety has led to tons of companies to stop operations in Europe altogether. To me that is troubling and calls into question

  • whether anyone in an enterprise took the actual time to read the GDPR (after a lengthy preamble it is only about 56 pages long) — much less understand its repercussions, or
  • if after reading and understanding the regulation it was determined, there is no chance of bringing current business processes in alignment, which speaks for rather poor treatment of user data.

Anyhow. Spawned by GDPR going in effect, I have taken on a little challenge for myself: gather more information about what data has previously been collected about me, and maybe even delete some accounts along the way, requesting data deletion from the business entity in question. For most enterprises I used to use the German service selbstauskunft.net. After all, Germany has had user-friendly data privacy law before GDPR was a thing, and selbstauskunft.net has been around for quite a while. It provides something like “Data Subject Access Requests as a Service” (DSARaaS?), i.e. sending out personalized Subject Access Requests (SAR) to lots of companies and public institutions on the user’s behalf, with pending queries tracking, statistics, and reminders on overdue requests, etc.

So far I have had no trouble to get my requests answered but a few days ago, a letter from PayPal Germany came in the mail and they are playing “hard to get”. As with lots of companies, they have separate legal entities for different parts of their business, and it seems as if European PayPal accounts are created with another branch of the conglomerate. The letter from PayPal Germany was short — something to the extend of

This is not the PayPal you are looking for.

At this point I knew I had to whip up something myself, since PayPal S.a.r.l. with it’s place of business in Luxemburg is not available via the Germany-centric selbstauskunft.net. What I needed was probably this: a proper Subject Access Request in alignment with EU General Data Protection Regulation.

After a little research I came up with the following first draft of a template text. I have no expertise in law or how to forge proper legally binding documents communicating with large multinational clonglomerates, but common sense tells me this is in alignment with GDPR, while being nowhere near as ignorant comprehensive as the The Nightmare Letter. After all, this is supposed to be an honest request, and not trying annoy someone.

Data Subject Access Request under EU GDPR

Dear Sir or Dear Madam,

As a European customer and data subject, I wish to formally request a copy of any information your organization has stored or processed—digitally or otherwise—in relation to me. Under EU GDPR, you must provide any information you process and/or store about me, including—but not limited to—local computers, networked servers and other electronic infrastructure, as well as in analogue/manual form. This includes information that you share or have shared with third-parties and other data processors for handling and storage.

Please note that to comply with Article 15 of the GDPR you have 30 days to respond to the data subject answering in detail where their data has been stored within your organization.

Relevant personal details:

  • <Name>
  • <Date of birth>
  • <Current address>
  • <Previous address>

Kind regards,

<Signature>

But—obviously—I am not going to just blindly put something like this in the mail without consulting the unlimited wisdom of the internet first. So, do you have an inkling about European / GDPR-related law, (or just have more common sense), and have feelings about the letter? Maybe it’s not detailed enough? Or a single sentence would suffice? Please let me know! Leave a comment below, and maybe that way we can crowd-source a good but dedicately non-pranky SAR for Europeans to use. 🇪🇺👋

Am I wrong and you know better? Please, leave a comment below!

Comments are stored on and served from the same machine that's serving the website, and not shared with third parties like Disqus. There are no analytics, no tracking, no nothing — just how it should be.