
What authority should I contact in case of GDPR breach? - viyi
After the GDPR came in force, out of curiosity, I thought of mapping the data stored about me. I wanted to create a graph where the nodes would have been the different entities storing data about me; any two nodes would have been linked with an edge if there was a data sharing between them.<p>I started with one low-profile Eastern European webshop I&#x27;d previously used.<p>I emailed them, and asked for all the data they had about me, plus a list of the third parties with whom my data had been shared; I also asked for the contact details of those third parties.<p>Apart from a polite and generic reply I got nothing. So long about going down the rabbit hole.<p>My question is this: what low-budget tools do I have to force a given company to hand over all the data they have about me? Are there national &#x2F; EU wide authorities to whom I can write to complain? (I have no money for legal support).
======
jakobegger
Oh my god please leave those small businesses alone. That webshop is probably
just a handful of people and they have no clue what their legal obligations
concerning GDPR are. They would probably need to hire an expensive lawyer just
to find out what information they can and should share with you if you start
making trouble. At the same time you expect all this information for free.

If you want answers to your questions, my recommendation is to ask more
specific questions. For example, you might ask them if they share your data
with a credit reporting agency, or if they send email newsletters, etc. That
way it'll be much easier for them to answer, and it's more likely you'll get
useful results.

~~~
mikebos
It's the law (tm), not complying because it would cost money is a very poor
excuse. Besides some case law would help the law and guidelines are a bit
vague on specifics.

~~~
quickthrower2
Not really. Comply fully with all statutes across the world and you'd never
get a business off the ground.

------
kostaddin
I assume you are from EU state. GDPR is valid only for EU citizens no matter
where their data are around the world. If you are company (no mater EU or no-
EU) and you have personal data breach you should report it to your local
regulator in 72 hours or you risk 2mln euro or 4% from the turnover fine. I
think one reason Google+ to be closed is they didn't report personal data
breach so have to pay 4% of whole turnover of Alphabet which could be
billions. In order to be compliant with GDPR companies have to encrypt, mask
and pseudo-randomize personal data. This isn't possible even for big companies
to be done on time. And on top of this you should have rigorous incident
management process so not missing 72 hours deadline. I can tell you that even
big companies are not ready.

~~~
kostaddin
If you need more info on GDPR feel free to contact me.

------
oblib
Yeah, I have to agree with jakobegger. viyi doesn't provide any reason or
detail here for his request other than "I wanted to create a graph".

Why start your "graph" by demanding data from "one low-profile Eastern
European webshop"?

Why not start with those companies that we all know collect reams of personal
data?

I can easily suppose a few motivations for that but none of them lead to
"create a graph".

------
mechanicum
Every EU/EFTA member nation is required to maintain at least one "Data
Protection Authority", responsible for supervising data protection law. The
escalation process if a company fails to comply with the law is to make a
complaint to them.

There's a list here: [http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_...](http://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=612080)

~~~
ssijak
And that officer could be one guy doing 3 roles at the same time trying to get
some product up and running.

------
dangerface
Who you complain to depends on what EU country you live in they have a
regulator you can complain to in the uk its ico.

That said they probably wont help you, the complain is more about them leaking
your PPI to a stranger.

If the order was before GDPR went into place, then you are on your own.

If you just want the data, best to just go back to them and politely ask if
there is anything you can do to help them.

