|
> anyone tried a GDPR request to their phone provider to figure out what do they collect and what do they store? Yes. The Netherlands, carrier is called Youfone. They have very, very little data on me: they claim not to be able to see which cell tower I'm even connected to (which would be tracking info), which makes me wonder how they even provide their service. They say it's all outsourced to third parties, one of which is the network operator, KPN, and they cannot list those parties for commercial reasons. I doubt that's legal (I'd assume you can't just stuff everything into subsidiaries and go "sorry can't tell, business secrets": either you have to get it from the subsidiaries, or you tell me who they are and whom to talk to), but the Authoriteit Persoonsgegevens (local authority) seems to have their hands full, as do I, so I did not bother pursuing it. The info I did get was: everything I provided (name, DOB, bank account), everything you would commonly expect (call logs (though that is not as common in Germany, it is everywhere else afaik), the invoices based on those call logs, data usage per month, etc.), and I think one or two uninteresting pieces of information (probably SIM card number and such). They also provided storage time limits for the data. I feel like they did not have the process in place yet before my request, as a dude quite high up in the orga replied to my support ticket and they exceeded their response deadline. After two months they gave me a professional-looking PDF with the data, so I think they quickly set that up because GDPR was fairly new (few months after May 2018). They're also cheap, I'm sure the mails back and forth (not to mention the investment in that "data to pdf" system) cost them much more than my 8,50/month subscription would warrant. I kind of want to cut them some slack for working on it rather than bother those who try. Maybe I'll pursue it again later. Or maybe someone else can ask better questions based on my experience. |
In any case - I agree with you that this seems like a shitty legal pseudo-loophole. At the very least the company you sign mobile contract with needs to share your phone number with those infra subsidies. But then according to GDPR: "15. 1. The data subject shall have the right to (...) access to the personal data and the following information: (...) (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed". Following this rule one should be able to reach the bottom of the data processing chain.