Email sent 25/05/18, 17.29


I would like to request all personal data associated with myself held by your company, in accordance with my rights under the GDPR.

The following information should allow you to identify me:
I live at [HOME ADDRESS]. My business name is 2040 Training, and my business address is Courthill House, 60 Water Lane, Wilmslow, Cheshire SK9 5AJ, UK, Company No: 6682698

You may hold data associated with me via the following email addresses and phone numbers: [PERSONAL EMAIL WITH MY NAME IN IT], [SECOND PERSONAL EMAIL WITH MY NAME IN IT],, [EMAIL WITH MY NAME AND COMPANY NAME IN IT], [LANDLINE], 07508341090 or [PERSONAL MOBILE] or the Twitter handle @tim2040

My request includes any personal data held about me, including any assumptions, characterisations, classifications or inferred data recorded about or associated with me, as well as any factual, contact or other personal data and correspondence concerning me either internally or externally.

This should also include a clear indication of the source for all information held about me, and the names of any data controllers to whom my personal data has been passed. If you require any further information, please do not hesitate to contact me. Please note that all personal data including in this request has been supplied solely for the purpose of identifying data already held by your organisation, and none of it should be retained or added to records you hold for any other purpose.


Tim Turner


Email sent 25/05/2018, 21.27


Thanks for reaching out to us. I am glad to see that some are not wasting any time in exercising their rights!

Here are the definite answers I can provide at this stage:
* I have not found the email address in our systems.
* I am not sure under what basis you are making your request for business information we might hold concerning the “2040 Training” business. The GDPR would not be applicable to that situation. If there is something I am missing, please let me know.

Otherwise, a constant concern with Subject Access Request is to confirm the identity of the person making the request. For this reason, before responding to any request concerning the other identifiers, I first need to confirm that the owner of those accounts actually did wish to formulate such a request. Therefore…
* for each of the other email addresses, please resend a direct request from that email address, so we can confirm they are yours.
* for each of the phone numbers, please send a copy of a recent phone bill in your name to confirm that you hold this phone number.
* for the Twitter account @tim2040, please contact us directly at @PersonalDataIO, and we can take it from there.

Finally, for the request concerning your home address, I will need some type of proof to confirm you live at that address. A utility bill in your name would do.


Paul-Olivier Dehaye



Thanks very much for this.
You’ve given me everything I need here.
Best wishes


Great. Happy to help. Thanks for making our service better.





There’s a very long way to go on that.




Baby steps!




Under Article 17 of the General Data Protection Regulation, I would like to request that you erase any personal data held by your company or any of its employees or volunteers in relation to myself. Specifically, I request that you erase any reference to any of the emails or phone numbers provided in my email to you from this address on 25th May 2018, including the email itself.
If you held any of the information before 25th of May, I expect you to erase it.
If you refuse to erase any personal data connected to any of the identifiers specified in my request of 25th May 2018 without proofs of ID, please let me know.
Best wishes
Tim Turner

“masterclass in not answering questions”

Just about a month ago, I had a little Twitter disagreement with Paul-Olivier Dehaye, patron saint of subject access requests. He said his tool for making subject access was brilliant and revolutionary, and I said it was shit. There was a bit more to it than that, but I was hoping to make this a short blog.

The use of third parties to make subject access requests on one’s behalf is not new – solicitors have always done it, and companies have made batched SARs at least since the bank charges furore of the last decade. The problem with a third party – or automation of the process – is that it gives the Data Controller something to play with. Dehaye admitted to me that in all the time he spent developing his SAR tool, he didn’t speak to anyone with any experience of dealing with SARs from the controller’s perspective, and it shows.

Even though one of Dehaye’s tedious cheerleaders told me that SARs were going to be “frictionless” post-GDPR, there are inevitably some bumps in the road when asking for data even in this Brave New World. The Data Controller needs to identify the application properly, and the involvement of a third party might complicate that – or might be exploited to complicate that, as anyone who has ever dealt with a poorly-written solicitor SAR can probably tell you. If there is a lot of data, the controller can ask the subject to narrow the scope of their request. If they believe that the request is unfounded or excessive, they can make a charge, or even refuse. An automated third party doesn’t make any of this easier.

Ironically given his status as pro-DP activist, I think Dehaye wants SARs to seem difficult. “In my own experience, SARs are complicated to do in a way that properly defends data subject rights” he said, but given that he’s building a business based on data, he kind of would say that. When I first encountered him, Dehaye told me that he was planning to charge subjects for using his tool; while that plan might have changed, he gets evasive when you ask whether he might charge for add-on services in the future. One of the main advantages of GDPR for the subject is that SARs are now free – the best way to exercise the right is to ask for the data direct, without the involvement of a politically-motivated middleman whose company isn’t even in the EU. I voted Remain and I think Brexit is moronic, but that doesn’t mean that weaponising SARs is a good idea. After all, someone might turn round and do it to you.

I decided to make a SAR to Dehaye’s company on the 25th May. His response, though admirably swift, wasn’t exactly the zenith of transparency that one might have hoped for. One might even describe it as a masterclass in not answering questions. I provided a variety of different email addresses and phone numbers that the company might hold in relation to me – the purpose of this was to allow the data controller to identify whether any of my data was held. I did the same thing with my request to Experian – I don’t know what data Experian holds on me, so I provided all the possible identifiers that I could think of. I don’t know what, if any, data Dehaye or his company might hold, so I needed to provide a variety of different identifiers.

EDIT: in response to a request from the data controller, click here for the full text of my request (redacted only to remove personal data that is not in the public domain) and the full text of their reply.

Article 12 of GDPR states that “The controller shall facilitate the exercise of data subject rights under Articles 15 to 22” and shall answer requests unless it “demonstrates that it is not in a position to identify the data subject” – it is plainly correct for the controller to want to know who the applicant is, in order to avoid giving data to the wrong person. However, Recital 64 says that the controller’s measures to identify the subject must be “reasonable“. Dehaye demanded that I send a separate request from each of the email addresses I specified. This means that he thinks that if an organisation has harvested emails from a variety of sources, the controller only has to disclose data if they receive confirmation from that account that it is linked to the subject. So if a person applies from a Gmail account, and the controller has harvested a work email address, even if they have linked the two together, Dehaye doesn’t think that the subject is entitled to the work-related data unless they make a separate request.

Similarly, I provided my home address, my 2 mobile numbers (business and personal) and my landline. Bear in mind, a data controller may have harvested all of this data, so the SAR applicant might need to provide it in order to say this is me, this is my data, do you have it? Dehaye’s response to this part of my request was to demand copies of phone bills for each account, and a recent utility bill for the home address. Clearly, this is the approach he would advocate for any data controller faced with such a request. As it happens, my girlfriend’s name is on the landline account, so I cannot prove that the landline is my personal data, even though it is. One of my mobiles is pay-as-you-go, so I don’t get bills, and the work mobile is on my website, and so can be linked to me without the need for unnecessary proof. As with most people, I receive electronic utility bills, and do not have them immediately to hand. Dehaye’s approach seems to be that if a Data Controller has harvested your data, subject access requires the applicant to provide a lot more personal data in order to get access.

The point of the ID check is to ensure that the person is who they say they are – once that’s done, if the controller has doubts about whether an identifier does link back to the subject (i.e. an email address), they can check, or just send any relevant data to that separate identifier. If Dehaye thinks that his approach is legally correct, there is no reason why Leave.EU, Vote Leave or any other organisation shouldn’t do exactly the same thing if they receive a SAR from now on. When I asked him in April how his tool would deal with the ID element he said “Let’s set the standard” – now we know what that looks like. It looks like giving huge quantities of personal data to someone you don’t trust.

This is a no-win – either Dehaye’s approach is right, and I have to go through an administrative nightmare when SAR-ing organisations that grab data from anywhere they can get it, providing them with a fat dossier of extra information before I can get access, or Dehaye is a hypocrite who complains about hurdles to subject access but builds a wall when asked to practice what he preaches. In any case, if Dehaye’s obstructive and unhelpful approach was correct, it would still be easier to handle without the added complication of a middleman.

UPDATE 28/5/18: Mr Dehaye has admitted that he deliberately adopted an obstructive approach because he thinks I am a trouble-maker. I believe that this is a clear breach of the GDPR; if the Data Controller Personal Data.IO is capable of playing these kinds of games, and deliberately discriminates against data subjects, I think this seriously undermines their credibility to act as an agent for other people’s SARS. The company is setting a cynical, obstructive example, and it would be catastrophic for subject rights if other controllers followed their lead.

Zero Gravity

In March, I received an unsolicited email from a company called Gravicus. It was scaremongering nonsense, touting their data management software via the threat of director liability for data breaches. So far, so what: I get a lot of spammy junk from GDPR people to my 2040 Training email address, but this was to a personal Gmail address that I don’t give out all that often. The email claimed that it had been sent to me because I was “registered on Leadiro”, who I have never heard of. Under PECR, email sent to an address for which I am an individual subscriber can only be sent with consent (or soft opt-in), and given that I had heard of neither Gravicus or Leadiro before the email arrived, they had neither.

I contacted Gravicus to make a subject access request on 20th March, asking how they had obtained my data, what Leadiro had told them and for any other personal data about me that they held. Separately, I contacted Leadiro and asked them why they were selling my data. Leadiro got back to me, and confirmed that they had not supplied my data to Gravicus.

Having had no reply from Gravicus beyond an automated acknowledgement, I emailed them again on April 2nd, asking for confirmation that my request was being dealt with, and also passing on what Leadiro said. A week went by with no acknowledgement, so I wrote to the company’s registered office address and business address, chasing them up.

Gravicus finally reacted on 16th April via a letter from their lawyers, Keystone Law. Keystone admitted on behalf of their clients that the Leadiro story was false, and that my data had been harvested from the “business oriented and professional website” LinkedIn. I apparently connected “voluntarily” with a named Gravicus consultant, who then exported her connections to obtain contact details of “relevant professionals in the sector”. Nearly a month into my request, Gravicus wanted a copy of my passport and utility bill, certified by a lawyer, accountant or similar professional, as well as the £10 fee. I paid the £10 and sent an uncertified copy of my passport. The lawyers still demanded the utility bill as proof of my address, despite the fact that Gravicus’ own version of events shows that they would have nothing to compare it to – they have only ever dealt with me via email or Twitter. In any case, Keystone had already named the individual who harvested my address, so if it was wrong to reply to my subject access request without proof of address, why was it right to give me the name of the consultant? I threatened to complain to the Information Commissioner, and they backed down. I have no doubt that Gravicus took this approach to obstruct my request, which when they had already breached PECR and Data Protection isn’t the best way to resolve a problem.

It is a breach of LinkedIn’s terms and conditions to

  • “Disclose information that you do not have the consent to disclose”
  • “Copy, use, disclose or distribute any information obtained from the Services, whether directly or through third parties (such as search engines), without the consent of LinkedIn”
  • “Use, disclose or distribute any data obtained in violation of this policy”

Harvesting and using email addresses from LinkedIn in breach of their terms and conditions, without transparency and a legal basis is a clear breach of Data Protection. Gravicus did not have my consent, and by misrepresenting the source of my data in the email that they sent me, they blew any chance of relying on legitimate interests. Their use of my data was unlawful. Gravicus’ lawyers claimed that the confusion over where my data came from was understandable because Leadiro was one source that they were using. But that isn’t true. The CEO of Leadiro told me explicitly: “Gravicus are not a Leadiro customer, and have never been a Leadiro customer“. Added to that, sending a marketing email to an individual subscriber without consent is a breach of PECR, and Gravicus knew I was an individual subscriber because their records had my address marked as ‘Personal’.

Despite the fact that Gravicus’ original spam email touted data breaches as being the personal responsibility of directors, one of the shabbiest things about their response is the way they sought to throw their consultant under the bus. They named her straight away, and claimed that the company didn’t know that she was harvesting emails from LinkedIn, even though their lawyers continually stressed that I had voluntarily made my email available to her. In other words, you asked for it, but we didn’t know it was happening. I don’t believe this, but it doesn’t matter whose idea it was. The directors are responsible for what their company does, not some consultant who blocks people on Twitter when they ask awkward questions. Instead of dealing with me like a human being, Gravicus lawyered up and tried to obstruct my subject access request with bogus demands for unnecessary personal data, itself an additional breach of DP law.

This might seem like a lot of fuss for a spam email. But look at what Gravicus is selling as a data processor. Their product works like this: “Tell Osprey your data sources, provide your access credentials and it will connect automatically to analyse your data“. As a data processor, they will have access to a huge amount of sensitive and possibly special categories personal data held by their clients. The GDPR states that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“.

Gravicus harvested my data unlawfully, they gave me false information about where personal data has been obtained from, they demanded excessive personal data when dealing with my subject access request, and they sent me unlawful unsolicited emails in breach of PECR. They claim that they’ve stopped gathering data in this way, but it never should have happened in the first place, and suggests that the directors don’t know what’s going on in their company. In any case, when caught out, they hide behind their lawyers and consultants instead of dealing direct. Any organisation thinking of using them as a data processor should think long and hard about whether Gravicus can offer the kind of guarantees that GDPR requires.

A brief word from our sponsors

I haven’t blogged in a while because of a heavy workload, inspired by the oncoming train / Sword of Damocles / impending apocalypse that May 25th represents. In the meantime, permit me to do a bit of advertising.

Believe it or not, GDPR is for life, not just the 25th May 2018.

So if you intend to run a business, charity, public authority or other organisation, and what to know about GDPR Rights like the Right to be Forgotten, Subject Access or Portability, if you want to know what PECR means for marketing or fundraising, or if you just want to know how GDPR works, I am running courses in May that can help you. I’ve been a DP Officer, I have 17 years of data protection experience, and I use my DP rights to track down and control my data, so I can show you what’s good and bad across the DP world.

The courses are GDPR Rights in London and Manchester, GDPR and Marketing in London, and GDPR SOS for the second time in London – all at the end of May, all £250 + VAT. I’m not doing any courses on the 25th May itself as I will be using my Data Protection rights for wholly mischievous purposes against people who deserve it. Expect to read blogs about that in the future.

Find out more about the courses here:

Book here:

SARpocalypse Now

As expected, the Information Commissioner has announced that her office will be running a campaign promoting GDPR rights to members of the public. As anyone could have predicted, some of the excitable GDPR community on LinkedIn are now working themselves up into a lather about the ensuing SARmageddon that will ensue from this development. Previously, the same people were complaining that the ICO hadn’t launched a massive campaign, as if it was the regulator’s duty to whip up the public mood to help them sell their software.

The idea of GDPR prompting an avalanche of Subject Access requests isn’t new – Certified GDPR Practitioners and other salesmen have been confidently predicting it for a while, building the fantasy on rather shaky foundations. One false notion is that GDPR abolishes the fee for SARs and other data protection rights. It does, but many organisations do not charge the fee now so it’s unlikely it will make a difference to the number of requests they receive. Someone I trained this week gets 4000 a year, so the idea that receiving lots of requests will be new to many organisations is either ill-informed nonsense or a sales pitch. It’s only people who have no experience of Data Protection who think that a high volume of requests is novel.

Another claim is the PPI-style onslaught of compensation claims that the SARnami will supposedly serve. The problem with this is the flawed comparison between PPI and Data Protection. I’ve said this dozens of times, and I’ll say it again: PPI was widely and aggressively mis-sold. Most PPI claims were valid, and if the banks / financial institutions fought the claims, they would usually have lost. The process for a DP claim is first, establish that there has been a breach of GDPR / DP; second, establish evidence of some adverse effect; third, sue and hope to persuade a judge that the adverse effect is worth compensation. That’s a tall order.

Of course, many businesses may choose not to contest these claims, and that may fuel SARs and other rights requests. In my opinion, if a business gets bogus DP claims and settles them because it’s easier or cheaper, they’re contributing to an unhealthy culture and making it harder to implement DP sensibly for everyone. It’s instructive to see what happens when claimants actually get into court and what a balls-up they make of it: this should happen more often. If data controllers take a robust approach with cack requests and dare the Commissioner to do something about it, it’s not hard to imagine what would happen (and if you think it’s FINEmageddon, you’re reading the wrong blog, friend).

The worst example of this scaremongering is the SAR as DDoS attack. I remember this bollocks from the days when I worked at the Information Commissioner’s Office and the rumour spread that FOI would be used as a tool to disable public authorities. Admittedly, Walberswick Parish Council was temporarily knocked over by a persistent FOI campaign, but what happens in Parish Councils is not a reliable guide to anywhere except Parish Councils. Now, a variety of IT and risk management companies have returned to the theme. Only this weekend, Matt Hodges-Long was predicting SAR DDoS attacks as soon as May comes. In a coincidence that no screenwriter would accept as plausible, Mr Hodges-Long happens to be CEO of a company that sells risk management software that might help businesses cope with such attacks.

I know, right?

Think for a moment about how a SAR DDoS would work. In Mr Hodges-Long’s scenario, imagine thousands of data subjects deciding to submit a ‘single’ request to a company on the same day. How would this work? Firstly, someone would need to organise it. They would have to find thousands of people with the same grievance against the same organisation. Making a SAR isn’t the same as signing a 38 Degrees petition – you have to contact the data controller directly and ask for your information, so it’s a lot more than just filling in a form. The organiser would either have to coordinate the activity themselves, which would require obtaining proof of consent and proof of ID from every applicant (otherwise they would likely be breaching GDPR themselves), and then send the 1000s of requests, or they would have to issue clear instructions to all of the 1000s of people to ensure that they all did it at the same time.

GDPR requires the data controller to check ID when dealing with a request, so if suddenly 1000s of requests arrive en masse, if the data controller just BCCs them all asking for proof of ID, every single request is automatically invalid. GDPR also allows the data controller either to charge or refuse a request if it is manifestly unfounded or excessive. Imagine the amount of time and organisation it would require to either make all requests on behalf of 1000s of people, or coordinate the making of these requests at the same time on the same day. Imagine doing so in secret, leaving no trace for the data controller to find online. If a request has only been made for the purpose of attacking the organisation, and the controller can show evidence for this, what possible foundation could the request have?

I believe that if a campaigning organisation decided to use SARs as a method of DDoS, the data controller could refuse them all as excessive or unfounded (or both) and dare the Information Commissioner to do anything about it. Bear in mind that this is the same Commissioner who found systematic failure to answer subject access requests in the Ministry of Justice, and gave them almost a year to clear them up. They also sneaked the notice out just before Christmas without a press release, in one of the more shameful episodes of this generally unedifying period for Data Protection. If you think this same regulator is going to take the side of anyone using GDPR rights as way to attack data controllers for the sake of it, you are either an idiot or you’re selling something.

GDPR will change things. There will be more requests of the type we already get, and requests that we don’t currently get. For the mischievous, there is ample scope to use GDPR to take pot-shots at organisations. I’m going to do it myself. But the idea that we’re teetering on the brink of a World War SAR is hype to sell software. Anyone who tries it deserves to get called out and right-thinking people should shun their products in favour of a sensible, measured approach of deleting irrelevant data, improving retention policies, and developing / embedding / sustaining slick and robust rights procedures. Knowing where your data is, who will look for it when asked to and how they will look will pay off much more than a tool that you probably don’t need.