[kenbaylor]

The reason why this is such a great letter is because it questions the competence of the recipient DPO. The data subject has a right to some of the information, but by no means all of it.

If the DPO complies with all of it, they will breach the GDPR (e.g. Request 9b). Of course a data subject also has no right to know what security controls (request 8) you have in place, other than they are 'commercially reasonable'.

A regulator can require this information, but not a consumer (data subject). This could be the basis of a great interview test for selecting your DPO.

[number6]

The request themselfs are legit. E.g request 8 is aiming at the ISO 27001 which state that the information policy is to made public to stakeholders.

Request 9b is a bit tricky since the regulator have to be informed but not per se the data subject. Only if there is a risk for the data subject they have to be informed.

The letter is carefully worded itself. The parts the data subject does not have a direct right to know are friendly request (eg 4 vs 8b).

You can answer 8b just with one word: Yes. (Well or No)

The takeaway here:

If you give this letter to you technical personal you will get a detailed overview of the infrastructure they use.

If you give the same letter to your lawyer you would get a very polite letter with the bare minimum of information.

Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"

[mjw1007]

I found this part interesting: «Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions.»

Do you know if there's really a requirement to provide requestors with your beliefs about the law, or with legal advice you've received?

[sharkdaysunrise]

This language refers to the specific grounds established by chapter 5 of the GDPR under which transfer is allowed. The data subject is expecting you to point at the specific clause that provides legal grounds in your case.

[hedora]

> Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"

Arguably, such technology doesn’t exist (at least when plugged into a computer network). What penalties are in place if you lie in the response?

[geofft]

I'd expect "with reasonable certainty" to mean something different to pedantic lawyers/regulators than to pedantic cryptographers. Although perhaps an actual lawyer might suggest another phrase there, like "industry-standard measures" or something.

[number6]

Yeah I think a lawyer would write something even more nebulous... We minimized the risk according with our assessment with industry standard measures in accordance with our threat model to a reasonable level of safety as defined in the international standards taking in account user experience and the requirements of our partners all in accordance with local and EU law...

[Silhouette]

Such technology can't exist, because it is fundamentally trying to prove a negative.

There are technologies you can use (with varying degrees of effectiveness) to reduce the risk of data leaking by monitoring or intercepting specific mechanisms through which leaks can occur, but you can never have reasonable certainty in this respect.

[insomniacity]

You can get most of the way there though: https://diogomonica.com/2017/10/08/crypto-anchors-exfiltrati...

[Silhouette]

Yes and no. That is the kind of measure that can help, but it's going to be very difficult to keep all relevant data within such a tightly controlled environment.

At some point you will probably need to work with the real data to do anything useful with it. There are situations where you really can operate on obfuscated/encrypted data, such as comparing password hashes, but these tend to be the exception rather than the rule.

And so, if you're compromised at a point with access to the raw data, or anywhere else from which access to such a point can be gained, you've still lost control of the data.

[number6]

I am not Sure what penalties there are for lying. I bet it's expensive ;)

And with lawyers and words I like to think of this quote:

"It depends on what the meaning of the word 'is' is. If the--if he--if 'is' means is and never has been, that is not--that is one thing. If it means there is none, that was a completely true statement....Now, if someone had asked me on that day, are you having any kind of sexual relations with Ms. Lewinsky, that is, asked me a question in the present tense, I would have said no. And it would have been completely true."

[ThePhysicist]

The GDPR explicitly states that companies can prove their adherance to best practices using certification (https://gdpr-info.eu/art-42-gdpr/), so it usually would be sufficient to show a certificate from an accredited source to "prove" that data is handled appropriately. Don't forget though that the user also has the right to know which other processors or joint controllers have a copy of his/her data, so companies will have to provide a list with all of the services they use.