Analyzing GDPR Article 15

When the EU General Data Protection Regulation (GDPR) was implemented, I made inquiries to many service providers in accordance with Article 15 (right of access of the data subject) – out of my own interest. In the beginning, the requests had mostly the form of emails. Slowly, more and more service providers integrated functions (forms and so on) in their websites. The data that I requested also changed. At Amazon, for example, there was old data that already existed at earlier times when the request was made. Around that time, Letty and Katharina Nocum gave their talk (video) on archaeological studies in data garbage at 35C3. Curious about what had happened since then, I looked for scientific publications – and found almost nothing. Cookie banners and tracking are considered very often, but not GDPR Article 15 requests.

Based on a bachelor’s thesis and my own study, we gave a current insight into the practice of GDPR Article 15 inquiries and answers at the ARES workshop IWAPS. See also the author’s version on “Smaller” service providers in particular still rely on email and sometimes don’t know how to handle these requests. During the study, some service providers implemented improvements, but we also recognized some patterns that could be viewed negatively. I’m curious to see whether these can be confirmed in further studies.

Unfortunately, the paper by Nils Gruschka and me was accepted at the APF 2023, but has not yet been published. We compared 1) current data extracts from several users, 2) these data extracts with the data protection declaration and 3) old and new data extracts from a user on Twitter/X. We have seen a shift from machine readable (Article 20) to user-friendly and understandable (Article 15). Privacy settings and behavior affected the data received. However, both need to be investigated in future studies, for Twitter/X, but also for other service providers.