[pheleven]

I was thinking a solid new business plan is to register gdpr.me (or whatever) and offer a service. $40, fill out a form, and I will send a GDPR request to every company in the world on your behalf. The data coming back is then offered back to you with the ability to create further requests (deletion for example) selectively or in full.

This seem explicitly allowed for in the law.

[jacquesm]

(1) the service is not explicitly allowed for because data subjects (and not data processors acting on their behalf) would be the ones to file such requests.

(2) you would be filing a lot of requests to companies that have no data in the first place and which you could reasonably have known about had you queried the data subject.

I see such a service as acting in bad faith and would file a complaint against you and your service if such a frivolous request would land in my inbox. Better hold on to the $40, you might need to spend them on a lawyer.

But kudos for trying to see the GDPR as an opportunity, now try to do so in a more constructive way. And - funny - you would be mailing yourself since you would be sure to hold PII on the party making the request in order to be able to authenticate the request as being a genuine one, which in turn would make you required to be in compliance.

[pheleven]

I would argue there are several sections in the GDPR that appear to allow for a 3rd party to request data on behalf of the data subject. For example:

A20(2): In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

A12(3): ... Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

Even in the case it didn't work out to directly query, as another has suggested, just making it easy to fill out as many forms as possible in an automated fashion has value. Use their email to send from.

Also, how does the data subject or gdpr.me know that your company hasn't hoovered up some PII of the data subject?

I've read it several times and unless more clarity comes down on questions like this I'm quite afraid of abuse. I've read 8% of UK citizens intend to (ab)use GDPR for spiteful reasons.

EDIT:

Ok - I believe this absolutely supports my point, straight from the horse's mouth... This is from WP29-2017-4-data-portability-guidance:

"Data subjects should be enabled to make use of a personal data store, personal information management system (PIMS) or other kinds of trusted third-parties, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required."

This is immediately after saying businesses should create API's to allow data portability and GDPR requests.

[jacquesm]

I don't buy that that allows you to send random requests to parties that you have no way of knowing the requester has a relationship with. That is an unreasonable burden to place on the recipient of such a request. Essentially you will be sending them on a wild goose chase which is against the intent of the law, which is to give people control over their data, not for people to harass random companies, even more so to do this in an automated way.

You can of course go and approach this from a legalistic point of view but that's usually not how things work in the EU, if you are going to split legal hairs to see how you might be able to get away with something then you will be in for a surprise.

But don't take my word for it, feel free to build and launch the service and we'll see if it flies. For $40 I'll pass :)

[shabble]

You could maybe provide your users with a pre-filled request form for various companies they indicate they're a customer of, and have them send them directly.

IIRC there are services along those lines for various 'contact your $REPRESENTATIVE' political and activism lines. I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.

Can't remember what the exact context was that I saw it, but it might have been FOI or something data- related

[jacquesm]

That sounds like a much better idea.

> I vaguely recall something about how the US has specific laws allowing certain requests to be ignored (or maybe even criminalising the sending of) generated or form-letters, due apparently to this sort of abuse.

Exactly, and it is abuse. There are so called 'mass letter writers' here in NL that keep on sending FOI requests and other letters to local government effectively DDOSing the services and they too can be - and have been - slapped down.