Title: GDPR complaint email template
Date: 2019-03-17 14:00

Since it's tedious as fuck to find copy-pasteable email templates to throw at
people sending batches of unsolicited marketing garbage, because all the
results in web search engines are all about creatively interpreting the
GDPR to actually __send__ spam, here is mine:

> Hello,
>
> Since I'm an European Union citizen, all my personal data, including my email address,
> are protected by the Data protection Regulation (GDPR), even if your company
> is based outside of the EU. See https://www.privacy-regulation.eu/en/ for details.
>
> As a data controller you are thus subjected to various obligations, 
> notably transparency.
>
> As per Article 15 ( https://www.privacy-regulation.eu/en/15.htm ),
> please do provide me with:
> 1. all the personal data you have about me;
> 2. the purpose of the processing;
> 3. why and how you collect/got access to them;
> 4. if you share my data with other entities.
>
> As per Article 7, ( https://www.privacy-regulation.eu/en/7.htm ),
> if this processing is based on my consent, please do send me the information
> demonstrating that I have indeed consented to it.
>
> As per Article 17, ( https://www.privacy-regulation.eu/en/17.htm ),
> I also want all my personal data to be destroyed from your
> databases or other storage.
> But only after you provide me with the information requested above.
>
> As per Article 19, ( https://www.privacy-regulation.eu/en/19.htm ),
> do ask any company to whom you might have transferred my
> data to do so as well, and provide me with proof of said destructions.
>
> As per Article 12 (3) ( https://www.privacy-regulation.eu/en/12.htm ),
> you have one month to fulfill this request. After said period,
> be assured that I will refer the case to the competent supervisory authority
> ( https://edpb.europa.eu/about-edpb/board/members_en ), that has power
> to hand out significant fines ( https://www.privacy-regulation.eu/en/83.htm ).
>
> Have a nice day,

If you're French, the
[CNIL](https://en.wikipedia.org/wiki/Commission_nationale_de_l%27informatique_et_des_libert%C3%A9s)
has a nice [list of templates](https://www.cnil.fr/modeles/courrier)

A trick that companies like to pull is to ask for a copy of a governmental id
for any GDPR-related request, so here is the proper reply:

> Hello,
>
> Please be advised that requesting copies of government issued ID is
> explicitly against the Guidelines 01/2022 on data subject rights - Right of access
> Version 2.1, adopted on 28 March 2023
> (https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf).
> specifically section 3.3.73 to 3.3.75:
>
> > 73. In practice, authentication procedures often exist and controllers do not need to introduce additional
> > safeguards to prevent unauthorised access to services. In order to enable individuals to access the data
> > contained in their accounts (such as an e-mail account, an account on social networks or online shops),
> > controllers are most likely to request the logging through the login and password of the user, which in
> > such cases should be sufficient to authenticate a data subject36. Furthermore, the data subjects are
> > often already authenticated by the controller before entering into a contract or collecting their consent
> > to the processing and, as a result, the personal data used to register the individual concerned by the
> > processing can also be used as evidence to authenticate the data subject for access purposes37.
> > Consequently, it is disproportionate to require a copy of an identity document in the event where the
> > data subject making a request is already authenticated by the controller.
> >
> > 74. It should be emphasised that using a copy of an identity document as a part of the authentication
> > process creates a risk for the security of personal data and may lead to unauthorised or unlawful
> > processing, and, as such, it should be considered inappropriate, unless it is necessary, suitable, and in
> > line with national law. In such cases, the controllers should have systems in place that ensure a level
> > of security appropriate to mitigate the higher risks for the rights and freedoms of the data subject to
> > receive such data. It is also important to note that authentication by means of an identity card does
> > not necessarily help in the online context (e.g. with the use of pseudonyms) if the person concerned
> > cannot contribute any other evidence, e.g. further characteristics matching to the user account
> >
> > 75. Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of
> > their clients’ ID card, it should generally not be considered an appropriate way of authentication.
> > Alternatively, the controller may implement a quick and effective security measure to identify a data
> > subject based on the authentication it has previously carried out, e.g. via e-mail or text message
> > containing confirmation links, security questions or confirmation codes38.
>
> Henceforth, I won't be providing you with the government issued ID you
> requested.
>
> Please do update me on the status of my previous request,
> keeping in mind that you have N days left to fulfil it.
>
> Have a nice day,