Letter to Facebook - What do you know about me?

As of today, the new General Data Protection Regulation (GDPR) is enforceable, which allows residents of the EU to assert rights against companies regarding the processing of personal data. This also includes a duty of disclosure and the obligation of companies to delete certain data upon request.

I sent a letter today to the Data Protection Officer (DPO) at Facebook’s European headquarters in Ireland to get full information about what Facebook knows about me. I was very disappointed not to find an email address of the DPO on the Facebook website despite intensive searches. I just sent the request for information as per Article 15 GDPR by post – of course by registered mail.

You can find the letter below.

I will keep you informed of further progress in the exercise of my rights under the GDPR!

To:
Facebook Ireland Ltd.
–Data Protection Officer–
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland

REQUEST FOR INFORMATION as per Art. 15 GDPR

Munich, May 25, 2018

Dear Sir or Madam,
I am a EU citizen and resident and would like to ask you to provide me all data your company (including all affiliates) collected about me, including all data provided to your company by third parties and including all data your company collected with tracking scripts or other software on any website or app operated by other companies. The data I’m interested in include all pseudonymized data that contain any form of online identifier. Please send me all “raw” data stored on your servers (including all URLs, identifiers, time stamps and behavioural data) unchanged and in full.

Furthermore, I’m interested in what your company reads out of this data. Please send me the end products of the processing of the above-mentioned data, including the information about the purpose and the categorization of the processed data. Please also send me information about the existence of automated decision making, including profiling and information about the logic involved.

Please inform me in which country the above-mentioned data is stored and processed by your company. I also request information whether your company stores any of the above-mentioned data in a way that would make it possible to attribute the data (e.g. by using identifiers, fingerprinting, session-based or other technologies) about my internet, shopping, traveling, and other activities on and off Facebook to my Facebook, WhatsApp and Instagram account or any other forms of identification used by your company and whether and how your company combines the data attributed to those accounts or identities. I also request information if and how your company uses or used technology to de-anonymize any data attributed to online identifiers that could be attributed to me or identify me as a specific user or concrete person. I also request information whether your company stores and processes data about my online identities at services that are not operated by your company (e.g. my Google, Twitter, Amazon, or email account) and about the purpose of the data processing.

Does or did your any of your company’s software (e.g. APIs or tracking scripts) collect data about the content of any websites or apps that are not operated by your company and if yes, are these data stored in combination with any form of online identifiers? Do or did your company’s software (e.g. APIs or tracking scripts) collect data about an internet user’s behaviour (e.g. clicks, scrolls) and/or an internet user’s input on these websites or apps (e.g. when filling in personal information in a web form) in combination with any form of online identifiers? If this should be the case, I request access to this information as per Art. 15 GDPR as well.

Information about my accounts with your company
Facebook: https://www.facebook.com/[account name]
Instagram: [account name]
WhatsApp: [mobile number]
To prove my identity, I enclosed a copy of my passport.

Unfortunately, I haven’t found any contact information to make this request by electronic means. I would be grateful if you could provide me the information and answers to my questions in an electronic format, be it by a secure download option (preferred) or a physical digital storage medium. My email address is [name@domain]. For further communication, please provide details about how to contact your DPO by electronic means.

In addition to my request for information as per Art. 15 GDPR, please answer the following questions:

Did any other party get access (unintentionally or intentionally) to any personal information (including pseudonymized data combined with any form of identifier) your company collected about me or my behaviour?

What online identifiers other than the account ID does your company store and process, and for what purpose?

How can I correct, delete, or transfer the above-mentioned data?

How can I opt-out of any further data collection by your company when I use websites or apps that are not operated by your company?

Yours faithfully,

Thomas Konrad