In the last few months there seems to have been an increasing number of web sites and apps offering to submit subject access requests on behalf of data subjects – subject access request as a service (SARaaS) – including sites such as rightly.com and tapmydata.com.
Tapmydata.com rewards users for submitting SARs with “tap crypto tokens” that can be redeemed in their tapmydata rewards store. Check it out https://tapmydata.com/.
One of the OutsourcedDPO’s public sector customers told us that they have sought advice from the ICO who apparently told them that they could ignore the request as it was manifestly unfounded – i.e. of a frivolous nature and not motivated by a proper purpose.
On the face of it that seems to be sound advice – a request without basis is, according to the official guidance, potentially manifestly unfounded i.e. without foundation or purpose and raising SARs for the purpose of accumulating rewards would seem to be a perverse purpose for raising a SAR.
The OutsourcedDPO received a request from a data subject via rightly.com this week in his capacity as data protection officer for a large company. Rightly’s request provided a mechanism for validating the identity of the data subject which so far, has not provided anything useful. To find out more about the service the OutsourcedDPO signed up to rightly.com but has not received information from them at all allowing him to set up and account and access their portal.
According to rightly.com’s website, rightly expects data controllers to upload all of the personal data for disclosure under a SAR to their portal to allow the data subject access to it. The whole thing feels rather commoditized and the detached relationship with the data subject feels uncomfortable.
They also imply that they know which organisations hold personal details about you. I wonder how they have determined that?
So, what should you do if you receive a SAR from a SARaaS platform?
For a start we do believe you should ignore it – you should at the very least acknowledge it and decline to fulfil it or elect to levy a fee if you feel it is manifestly unfounded. You need to document why the request is manifestly unfounded as the burden of proof lies with the data controller. This may require some context and discussion with the data subject – it seems dangerous to assume that they are only raising the SAR for taptokens or some other frivolous purpose. The GDPR expects data subjects to periodically submit SARs (Recital 63) so dismissing it out of hand seems like a high-risk approach.
You should definitely seek to verify that the person making the request via the SARaaS platform is in fact the data subject which may involve requesting evidence from the platform or directly from the data subject if you have an existing relationship and contact details for them.
You should probably commission an information search to quantify how much information you are holding or processing relating to the apparent requestor just to give you a feel for what you have and how difficult it might be to fulfil the request in the event that it turns out to have merit.
If you do decide to fulfil the request, there will be a serious question over whether to upload all of the personal data into the SARaaS portal. Clearly the portal provider is an independent data controller and therefore fully responsible for the lawful and secure processing of the personal data that you place into it – but where does the liability start and end? Article 12(3) says that where a data subject makes a rights request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. This presumably has created a market for SARaaS platforms.
At the time of writing the OutsourcedDPO has not been through a full request cycle with one of these platforms but will update this Blog as more information emerges.
Please share your experiences with us if if you have had experience of SARaaS platforms.