At least in terms of territorial scope the ICO is correct; Article 3(1):
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
One reason for the right of access is for individuals to find out what data is being processed about them by controllers (in order to check the lawfulness, exercise their rights, etc.) so the request is made in good faith to the extent this individuals seems to be trying to do just that. Obviously you might not be controller for any information relating to them, but couldn't you do a reasonable and proportionate check, given what you know from their request, or ask them for more information to identify anywhere you might hold their information? You don’t need to 'leave no stone unturned'.
Dan
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Emile Douilhet
Sent: 14 October 2019 10:28
To: [log in to unmask]
Subject: [data-protection] Potentially erroneous guidance by the ICO?
Hi all,
We have been contacted a while back from an American individual who is convinced that Google is leading an elaborate conspiracy to spy on him. As part of his investigation, he noticed that someone from our institution had looked up his profile in LinkedIn (which anyone on LinkedIn can do).
Based on this, as he puts it, "corporate surveillance", he made a Data Subject Access Request to our institution asking us to comb through every email, document, and browser history for all our employees to find who had been working alongside Google to spy on him.
My view on it was that an individual who lives and works in the US (as far as I know this individual has never stepped foot in the EU) is protected by US law, and out of scope of the GDPR (which protects individuals "who are in the Union"). Additionally, as we are not the data controller of that LinkedIn search (I would assume the individual who made the search is? Either that or LinkedIn) and invading the privacy of 1000 staff to find a single LinkedIn name search is a massive breach of our employees' rights.
That individual contacted the ICO, who advised that this individual had the full rights of the GDPR, and that the explanation given for why we could not find and provide the information requested was insufficient.
This means that anyone, anywhere could just request any EU entity and ask them to comb through all their files for any reason, any suspicion of holding data even if no data is actually held on the individual. That seems a really dangerous precedent to me? But it's the ICO.
Has anyone dealt with similar requests from individuals with no EU ties? If so how did you respond?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________________________________________________
The information in this email (and any attachment) may be for the
intended recipient only. If you know you are not the intended recipient,
please do not use or disclose the information in any way and please
delete this email (and any attachment) from your system.
The Council does not accept service of legal documents by e-mail.
________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|