I’m happy to give up my data if it means I get to use digital services for free. It doesn’t bother me that my data is collected in exchange for a “free” service. I’m not troubled by being shown targeted ads based on my data. Do these statements sound familiar?
The use of data is wild: there’s no such thing as a free service
Do you know what kind of data companies collect in exchange for their free services? In practice, this is a blind exchange. You don’t know what you have given up “as payment”. The idea of payment only applies genuinely when the purchased product or service and the related payment and conditions are clear.
Is there anything you can do about this? Yes, there is. You can submit a request for information to ask companies that provide digital services to explain where your data ends up and how it is used. You can also refuse the collection of your data.
Submit a request for information: five key questions
- What data have I had to disclose to the company (contact details, photos, messaging history, for example)?
- What data has been collected on what I do (such as data on the applications I use, data on what I do when I visit a website, location data, search history, browsing history)?
- What data on me has been acquired from other sources (from public data files, advertisers or third parties that collect data, for instance)?
- What conclusions have been drawn about me as an individual, how have I been categorised and what kinds of analyses have been performed?
- How has my data been processed and with whom has my data been shared?
When you submit a request to a service provider, also indicate whether you wish to review all of your data or only data for a specified time period. Also include your contact details in the request. One example of a request for information is provided in the Sitra publication On the trail of personal data, which used test subjects to analyse how personal data moves and is used by digital services.
How can I submit a request for information and to whom should it be sent?
The website of a company or other organisation must specify how a request for information can be submitted. This information is often found in the website section on privacy or data protection. The law states that requests for information can be free-form, so service providers cannot set specific conditions on how they are to be submitted. Public-sector organisations as well as organisations that collect large amounts of sensitive data and monitor people regularly and systematically are legally required to designate a data-protection officer to whom requests for information should be sent.
While there are no special requirements regarding the form of a request for information, you should always submit it in writing so you have evidence of your request in the event of any subsequent problems. Service providers are required to respond to requests for information within 30 days. If a request for information is unclear or particularly extensive, the responding organisation is allowed to take up to 60 days to respond.
When you submit a request for information, you need to verify your identity in order to receive the correct information. The receiving company or organisation is required to provide you with a secure method of submitting verification of your identity. Usually this means using encrypted email.
When you submit a request for information, you should also ask the receiver to acknowledge their receipt of your request. Companies might not do this automatically. As it can take a month for the service provider to deliver the information to you, it makes sense to confirm that the process is under way.
Some services have a function that is only a few clicks away and provides you with basic information on the data collected by the service provider. Nevertheless, it is a good idea to submit a formal request for information by email, as that can provide you with a much more comprehensive picture of the way your data is collected and used.
If there are multiple requests or the requests are complex, the data controller – meaning the organisation that provides the service – can indicate in their response that they need more time to process the requests. If the data controller indicates they require extended processing time, the due date for their response is three months from your original request.
Exercise your rights – it may be beneficial for your use of other services
It is important to understand what data has been collected on you and how much. This way, you retain some control over your data. It is also good to know where your data has been transferred and what conclusions have been drawn from it. It can be useful to see how much data is collected that is unnecessary for the functioning of the service.
From the perspective of services, it is important to determine whether the data they collect is accurate and also whether there is a need to request that the service provider rectify or erase data. You may notice that the data collected is useful for a different service you use. You can also assess the trustworthiness of the service provider by familiarising yourself with the data they have collected on you over time.
As a user of digital services, you have a legal right to ask service providers about your data and its use and to receive an answer from them. You may find more information on Protection personal data – Know your rights website.