I was thinking a solid new business plan is to register gdpr.me (or whatever) and offer a service. $40, fill out a form, and I will send a GDPR request to every company in the world on your behalf. The data coming back is then offered back to you with the ability to create further requests (deletion for example) selectively or in full.This seem explicitly allowed for in the law.
jacquesm|7 years ago
(2) you would be filing a lot of requests to companies that have no data in the first place and which you could reasonably have known about had you queried the data subject.
I see such a service as acting in bad faith and would file a complaint against you and your service if such a frivolous request would land in my inbox. Better hold on to the $40, you might need to spend them on a lawyer.
But kudos for trying to see the GDPR as an opportunity, now try to do so in a more constructive way. And - funny - you would be mailing yourself since you would be sure to hold PII on the party making the request in order to be able to authenticate the request as being a genuine one, which in turn would make you required to be in compliance.
pheleven|7 years ago
A20(2): In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
A12(3): ... Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Even in the case it didn't work out to directly query, as another has suggested, just making it easy to fill out as many forms as possible in an automated fashion has value. Use their email to send from.
Also, how does the data subject or gdpr.me know that your company hasn't hoovered up some PII of the data subject?
I've read it several times and unless more clarity comes down on questions like this I'm quite afraid of abuse. I've read 8% of UK citizens intend to (ab)use GDPR for spiteful reasons.
EDIT:
Ok - I believe this absolutely supports my point, straight from the horse's mouth... This is from WP29-2017-4-data-portability-guidance:
"Data subjects should be enabled to make use of a personal data store, personal information management system (PIMS) or other kinds of trusted third-parties, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required."
This is immediately after saying businesses should create API's to allow data portability and GDPR requests.
shabble|7 years ago
IIRC there are services along those lines for various 'contact your $REPRESENTATIVE' political and activism lines. I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.
Can't remember what the exact context was that I saw it, but it might have been FOI or something data- related