Event date
Event venue
Online
Duration
43m
License Creative Commons Attribution 4.0 International License

We were invited by the Open Knowledge Lab Berlin to talk about our work. Of course we were happy to do so: In this talk, Lorenz gives an introduction to some GDPR basics, explains the basic function of the website and talks about the technical and organizational background of the project.

Material: Slides

Full video transcript (click here to open)

Ok, so let me tell you a little bit about Datenanfragen.de and about the GDPR and privacy. First, just a little bit about me. I am a chairperson of the Datenanfragen.de association. I study physics, not law which is important. So I can’t give you any legal advice and you shouldn’t rely on stuff that I tell you about law and always consult your lawyers. You can reach me a my email. But you can find all of this information on our website as well. So, I’ll try to use simple words but sometimes I think it’s easier to be exact when we use words from the GDPR. So, I’ll try and use some words from the GDPR. Ask, if you don’t understand them. And we also have a glossary for GDPR words up on our website.

So first, I’ll try to give you a short introduction on what the GDPR is for all people who are not familiar with it currently or who just need some more in-depth knowledge. The GDPR is short for “General Data Protection Regulation”. It’s a European regulation which was basically the unification of European privacy law. And it is in force since May 2018. And it’s actually a really, really nice law. That the GDPR is in force is basically the reason why we started our project. Because we realized that there are very, very nice and strong rights which are established with the GDPR and nobody really knew how to use them.

And also, a lot of corporate lawyers just said that the GDPR would be a nightmare for companies and consumers alike because it is so complicated and bureaucratic. One of our favorite things that we found on the internet is someone who basically did the same thing that we did, which is creating requests according to the GDPR. And he wrote a “nightmare letter” for companies, which would be someone really using their right to data access and accessing all of their data, which is what we do. But they say: “That’s a nightmare, that’s actually not possible”. Which is wrong. So, there’s a lot of misinformation about the GDPR and that’s why we do what we do.

So, what are the rights and where are they applicable? So, the GDPR is basically applicable in all countries of the European Economic Area, so the EU and some additional countries and some other places where EU laws applies. And, what’s really nice, is that it is mostly independent from national law. Which makes it very easy for us to just scale to the whole of the EEA by just basically translating and also doing a lot of other internationalization stuff but we don’t need that much internationalization when it comes to law. And, if you’re asking yourself, whether the GDPR applies, where the answer is basically “yes”, but if you really need a definitive answer: The question is: “Is even any personal data processed?” So, that’s the first question that you should ask yourself. And if personal is processed, then either the company or the organization has to be “established” in the EU. So, offices, a store, whatever, in the EU, which is more than just a letterbox. And the other thing are companies which are not in the EU but which offer services to people who are in the EU. They also need to comply with the GPDR. And that’s the very interesting thing and a very powerful thing, that the GDPR brings. So, that basically any company which wants to target European users has to comply with the GDPR. And we can use that to send access requests to Google for example.

Ok, so what rights are the interesting rights from the GDPR. There are quite a lot of them but we’ll focus on three or four rights that are rights for data subjects. So, they are addressed only to you, to individuals. The first and most interesting right is the right to data access which is the right that you can just access all the data that a controller has either stored or generated on you. Which is already a really interesting right which we couldn’t use before. They also need to tell you why they have this data on you and who has access to the data and also, who gave them the data. And, they need to provide it to you portably, which is actually a different Article in the GDPR but you need to be able to port your data from one controller to another. The other right is the right to rectification, which is basically, if something is wrong in the data that a controller has on you, you need to be able to correct it. I think the most interesting application of this is when financial agencies who collect financial data on you and the data they collect is flawed, the calculations they base on that might also be wrong and you have the right to correct it and demand them to tell everybody else. You also have the right to be forgotten, which been talked about in our community for quite some time. The GDPR is now there to establish it in the whole of the EU. So, that’s basically if there is no legal reason for a controller to process your data and also if you don’t consent to the processing of the data, then the data should be deleted. So, that’s also a really useful right that you should always use and it’s very nice to clean up old accounts for example.

Ok so, now we know there are quite a lot of nice rights and we actually can read about them in basically every privacy policy since the GDPR went into force. So, how can we use those rights. And that is the difficult question. Because nobody really knows how I can ask a controller for my data and nobody really knows what I should do to get my data deleted. And the process is actually kind of complicated. So, first I need to know: who is the right contact for me to address? How can I send my email or my letter or my fax—which is surprisingly often the case—to the correct person at the controller and so I have to research who is this person, is it the right person? And after I researched the correct contact, then I have to write a request. Maybe I did this before and I can just copy the request I wrote before. If you don’t know what you’re doing, that is pretty hard. And then, you need to find out: what information is sufficient to identify myself? Because, sometimes you don’t want the controller even more information than they already have. So you need to be careful about that. You need to know the information that they need, so that they don’t illegally send the data to someone else. That’s also hard to know because sometimes they tell you, sometimes they don’t. It’s really hard to know. Then, you need to send your request of course, which is difficult depending on the way you send it: If you send a letter, that is of course significantly more work than just sending an email. And then, most of the time, you don’t get your data right away. Most of the time, the controller will just answer with some, I don’t know, some strange answer that they need more identification information or that they need more time or that you need to be more concrete in your request. Most of the time, this is not even appropriate. They are just trying to delay your request. They are trying to get you to give up. And that is also really hard to do, not giving up and following up. And sometimes, they don’t send you anything at all and then you need to send a warning and tell them “I want my data.”, which is also hard because you need to remember that you need to send warnings. Then, sometimes if you’re lucky, you might receive some data that the controller has on you. Maybe it is like the full dataset, maybe you just get a little bit of data and you know they have a lot more. And depending on what you get, you might want to lodge a complaint or even go to court. So, it’s a pretty complicated process to even just get to your data. If you want to delete your data, sometimes it’s harder, sometimes it’s easier.

So, we saw this challenge and we wanted to change that, which is why we created datarequests.org. With datarequests.org, there still is a little bit of a challenge, currently at least. So, if you want to make a request, you go to datarequests.org and you generate the request. We try to manage all of the rest. I’ll tell you all that we do in a moment. And then, you just send the request. Most of the time, you just send it via email and we do all of the other stuff. Sending warnings and complaints is also easier with datarequests.org. And I’ll tell you how. So basically, we saw this very big challenge to use your rights and we tried to make that easier.

So, what are all the details of how the project works?

So first, we have a database of companies. Currently, we have over 1300 entries in our database. And the database contains all the privacy-specific contact information. So, we really want the contact information of the data protection officer or maybe just a general “privacy@” email address. But we don’t want “support@company.com” because we don’t want to send all our sensitive identification data to any random person at the help desk or something like that. So that’s why we try to collect all the contact information that is privacy-specific. And that’s really hard to find because most of the time, it’s just hidden somewhere in the privacy policy or something.
Then, we need to know what is the required identification information. Like I told you, that is also saved in the database, if we can find it somewhere in the privacy policy. That’s also very hard because sometimes there’s just a wall of text and you need to find the right information. And, what’s also really hard to find but interesting to have in the database are all the other brands or names of a company, or the websites a company is running. That’s to save people the journey of finding the correct company to ask. And then, when somebody requests information from one website, we just request the information from all other websites as well.

We also have supervisory authorities in our database, the “Datenschutzaufsichtsbehörden” in German. And we have contact information and potential PGP keys, so you can send the data encryptedly if you want to complain.

So, the way we save stuff in our database is, like you see in this image, JSON. So, we have a basic JSON file. And we save all of those JSON files in our GitHub repository. And they just sit there in a folder.
And we also have a lot more information in that database. So, we have information on suggested companies, for example, that are interesting for one country.
If you want to suggest a company from the website, that will automatically generate issues, which is very tedious to maintain because then we have an issue and we hand-control everything, so when we have the information, we look at the sources to see if we can find the same information there. Then, we do our own pull request and merge the suggestion. That is quite tedious to do all the time. And I’m lucky that I don’t have to do that because Benni does all that for me.

And we do search. Currently, we do it with Typesense, which is also not that nice because we always have to upload all the files into Typesense when something changes and we are currently trying to switch to Xapiand, which is another search engine but that has been ongoing for quite a while now. So, maybe eventually we will do that.

Ok, we also have templates in our database, which is basically one of the most important things that we do. So, we have texts for different types of requests. The standard request would be the access request, which combines access and data portability requests, because we just have a little checkbox that you can check to make your data portable.
And, we also support rectification requests, erasure requests and direct marketing objections, which would be the kind of request you send when you don’t want to get spam emails anymore.
So, we have files for all of this. They are also mostly translated depending on the language, to German, English, Greek, Spanish, French, Italian, Dutch and Portuguese. And we are still working on that. If you know any languages, please help us. And we want to support the whole of Europe, so every language in the European Economic Area.

Templates are also very simple. They are just a text file that contains some basic formatting and they also sit in the “data” repository. So, that’s all very easy, very, very easy to host to maintain.

We also convert all of those text files to OpenOffice, Word and PDF templates. They are, I guess, the most popular content on our website. So, some people don’t use our generator but they just use the templates that we provide.
And you can also put in custom templates for specific controllers. There are different local laws. For example for the German catholic church. They have their own privacy law because the GDPR doesn’t really apply to them. And then we have custom templates to also request your data from those controllers.

So, the heart of our website is the request generator. And that one just generates requests, like the name says, from the templates.
And you can choose the controller that you want to address. You can input the required identification data, which we suggest in our form. And then we fill in the previously used identification data. And we support different output formats, like a letter, a fax, which is still used, and email.

I’ll try to show you how this looks. But I have to share my screen for that.

Ok, cool. So, the way the generator works is, you just type in the company that you want to request or any other controller, for example “Datenanfragen.de e. V.”. Then you choose the controller that you want to request and then basically, everything is done for you. So, on the side you can see where you fill in your identification data. And we change that depending on the controller and you can choose what type of request you want to send and how you want to send it. And then, that’s it. You just click the “Send email” button and then you can choose if you want to send it with your email program or Gmail or whatever. So, that’s really straightforward but we still think it’s not straightforward enough.

Ok, I’ll try to return to the presentation.

Ok, so the problem that we see with our generator is that we want it to be easy and clean but we also want it to be adaptable and customizable. And that seems like an impossible to solve conflict.
We try to do some of this just by prefilling sensible defaults. So, we fill in your saved identification data every time a new request is done to make it easy to use. But still, everything can be overwritten at any point of time. So, you can just remove identification data inputs or change the text of them, etc. Because we want it to be very adaptable for every kind of case where you want to request your data. But, at the moment, the flexibility of the generator really, on the one hand it’s a strong point but on the other hand, we think it might scare users away.

So, on the technical side of the generator, what is the thing that we are most proud of? It’s that we do everything on the client-side. So, except for the search, everything is handled in the browser with JS. And why do we do that? We want to be a role model for data minimization, which is why we try not to generate and collect any data that we don’t really need and we don’t need the data that users enter to send their requests. So, we don’t even send it to us at all.
So, we don’t want to be responsible for any sensitive personal data. And we want users to be able to trust us or, even better, not having to trust us. So, that they use the generator without any fear that their data gets stolen. A disadvantage of this is that the generator is not as portable. So, if you filled in your identification data in one browser, it won’t port to the other browser, because we don’t know anything and we would need a server to port any information. Doing everything client-side makes hosting very easy, because we only need to host static files and we generate them via Hugo and we serve them via Netlify, except for large static files. Those, we serve through Amazon object storage. And we use JS for everything else. We do the interface design with Preact, which is a more compact and quicker version of React. And we do the PDF generation with pdfmake, which is my favorite JS PDF generation library. And we persist the data with localforage, which mostly persists everything into IndexedDB, I think.

Ok, the request generator on its own is really nice to use but when you want to send a lot of requests, which is very often very useful, because a lot of different entities control my personal data, so I want to request data from all of them. And, if I want to do that, I can use the batch wizard, which is on our homepage. Let me try and, again, I hope it works a little bit better this time.

Now, you can see, here you can add companies from different categories, just by searching. For example, Amazon. And you can add as many companies as you want from our database. And then, just click “Done adding companies” and you’ll enter the wizard mode of the generator. Let’s ignore the tutorial. And then, the generator is simplified a lot and you click “New request” every time, or rather “Next request” every time you want to send a new request. It is very easy to use and you can get through with a lot of requests in a short amount of time. Which is very useful for a lot of different controllers.

We also provide a list of suggested companies for people who don’t even know who has their data. We suggest, maybe those companies might have their data. We use companies that typically have data on people in a specific country. So, those are internationalized. For Germany, for example, one of those companies would be the “Schufa” but also other kind of rating agencies. So we suggest to people, what companies to ask. We prefill the identification data, if you have filled it in once. And we simplify the generator as you could see.

Another feature that we implemented, which is also there to send many requests at once, is the “My requests” feature, which is basically a list of requests that you sent through datarequests.org in this very specific browser, because we save all of in in local storage. And in this list of your requests, you can generate warnings and send formal complaints. Currently, it’s not possible to just export the correspondence that you had but we’re trying to work on that. And you can set calendar events to be reminded of expiring deadlines, so you don’t forget to send warnings or complaints.

And, we also provide informational material, mostly the articles on our website. We don’t have that many English articles at the moment but our German articles have increased in number over the last few months because we worked with the Humboldt University in Berlin and some law students wrote some very nice articles on our German website. If you want to read them, I can recommend them. And the main goal of writing articles is to teach people knowledge of the GDPR because you do need some knowledge if you want to do requests, especially if you want to properly react to responses. Because, if you don’t know how to react, you will give up very easily and we don’t want that. We want as many people as possible to just access their data and use their rights.
We also try to collect some interesting consumer-related developments in the GDPR jurisdictions but we are not the best people to do that. I think the people over at NOYB are much better at doing that. So, we might not be the best source for that. And we also print materials. So we have some flyers that can be ordered for free on our website. So, if you want some flyers for your hackspace or some other place or your parents or whoever, just send us an email and we’ll send you some flyers. And we are working towards having more informational material, more print material. Maybe for schools, which would be one of our goals.

Ok, so that’s basically the technical aspects of our projects. But we also rely a lot on our community and the way we organize it. And we want to tell you a little bit about that.

We founded an association or “Verein” in German, the Datenanfragen.de e. V., and that association owns all the assets and all the money that we need, it pays for everything and receives donations. So you can donate on our website. And we also finance ourselves through membership fees. And the question is: Why did we even found an association? Why didn’t we just do the project privately? The reason for that is we wanted the project to be financially independent from us. And we also get tax privileges from being a non-profit organization in Germany which is also nice and people are more eager to donate if they can deduce that in their tax returns. But that’s just a very small reason.
We really liked the organization to be more transparent. And with an entity that is completely separate from our private lives, that is much easier because then we can just transfer the association if we don’t want to support the project anymore. And we were also able to codify our purposes in the constitution, so that we can’t run away with the money or, I don’t know, suddenly turn into a company. All passwords, files and everything are separate from our private stuff. And that’s also really relaxing because it’s nice to know that we are not always the only people who are responsible.

So, in the community part of the talk, I wanted to tell you where we need some help. Because I guess there are some competent people here and maybe even some real lawyers, which would be really, really nice because none of us are lawyers and we do know a little bit about law and we do know quite a bit about the GDPR but we are not allowed to offer legal advice. And we would really like to offer legal advice or have people check our articles, so that we have the peace of mind that a lawyer checked it.
If you’re not a lawyer, you can still help us. We have a lot of features planned that we need a lot of help with because they are really complicated. We want a generator for responses. So, if you received not your data but just some kind of response from a controller after you’ve sent your access request, it’s really hard to react appropriately and we want a generator where you can basically click “This is what the controller said” and then we generate the appropriate response. And that requires a lot of research and a lot of development. We also want to improve the request management in the “My requests” feature. We want to save correspondence and be able to export all the correspondence, so that it’s easy to send complaints. We would really like some kind of wizard-y experience for the generator. So if you know UX design, we would really like some input on that. We want a straightforward design for the frontpage because we think that it is very complicated and confusing at the moment. We want telemetry, so we can know what users want and for example what companies are requested very often. And we don’t know that at the moment. We don’t want to blindly collect all data but instead collect some limited data with proper consent. We don’t want cookie banners and all of that crap. We are out of ideas how to do that and would really like your input. And we want to support web forms as a transport medium for requests. At the moment you can just send an email but some companies also have web forms on their websites and we want to support those web forms for those specific sites and write some kind of API for that. All of those are quite big features but there’s also small things you can do.

You can write or translate blog posts. Especially at the moment we have a lot of German blog posts that are not translated to English. So, if you want to get on that, please do. We need to translate everything to all languages in the European Economic Area which is quite a monstrous project. But we still want to achieve at least some language coverage. Currently, someone is working on Spanish, I think. If you know any language in the EEA that we don’t support at the moment or if you want to try and maintain one of the languages, we would be really happy.
You can also suggest companies and collect company privacy contact information and add them to our database, which a small and very useful way to contribute. And you can spread the word and get users to use Datenanfragen.de or datarequests.org or any of our other language websites. You can tweet about us and everything.

And if you have any other ideas, any feedback, suggestions what we can do, just let us know. We are really open to it and we want the experience on datarequests.org to be best for everyone, so just tell us.

And now that I told you how to contribute or what to contribute, I’ll tell you a little bit about where to contribute. We have a website for that: datarequests.org/contribute if you want to have an overview.
You can always send your pull requests to any of the repositories in our GitHub organization. If you want to contribute companies, please look at the README of datenanfragen/data which is where our database lives. If you want to contribute code, the best way to start would be datenanfragen/website. And if you want to contribute articles, you can contribute them to datenanfragen/website. Just send pull requests. I think we also have some German information on how to write articles if you don’t know Markdown. Those are also in the GitHub organization.
You can translate small strings at Weblate, which is a translation platform. All links will be in slides that we’ll publish later on. You can send us emails and ask where you can help.
And you can join our Matrix channel if you want to chat with us.

Like I said, email us if you want to stay in touch. You can follow us on Mastodon and Twitter. And you can read our newsletter. We currently only publish our newsletter to members of the association. So, if you want, you can become a member. But maybe we’ll also publish the newsletter for non-members in the future. So, I don’t know, check our website for that. You can subscribe to our RSS feed, where we publish our articles.

Yeah, and that’s basically it. We will publish a recording and the slides on our website. And you can reuse the slides if you want.

Yeah, and now I’ll be open for discussion and questions. Are there any questions?

‘First of all, thank you. I think that was a really nice presentation, a good overview. We are very happy that this project exists. One thing I always wondered about is: How many people are actually at the core of this? Is it just you two?’

At the core it’s just the two of us. I think also Benni does a lot more of the heavy lifting because I am very busy. But at the core, it’s the two of us and there are some maintainers for other languages. So, we have one new maintainer for Spanish now and we also have another maintainer who does French. Yeah, but that’s basically it. Our association is also very small.

‘Yeah, very cool. We’ve been super impressed by how professional everything that you build looks and seems to be setup. I think that is actually a nice thing for us to also look at. Because sometimes we, as Code for Germany, tend to get lost in talking a bit. And you show, that it doesn’t take a lot of people to build something really cool. So, kudos to that!’

Thank you. If you’re interested in how we did the design, we also have design information up on GitHub I think. And we use a lot of publicly available design elements. Just look in our license information.
–Benni: The design information isn’t actually public yet.
Lorenz: Ah okay. So we’ll publish that some time, maybe.

‘Looking forward to that.’

Tobias asked if there is any connection with the Selbstauskunft website. You mean Selbstauskunft.net? No, there is no connection to Selbstauskunft.net. Benni and me, we were both users of Selbstauskunft.net before and started datarequests.org as a project for because we were not entirely happy with Selbstauskunft.net and we wanted a more simple and also more international project. And also Selbstauskunft.net is not really supporting GDPR. So that’s why we did this.
–Benni: Actually, they are supporting the GDPR but in the beginning, when we started the project, it wasn’t exactly clear if they would. So, that was one of the motivations.
–Lorenz: Yeah true.

‘I think it might actually be interesting for you and FragDenStaat to talk a bit because this whole topic of sending requests and then getting back to the institution when they don’t reply and telling them that they do have to reply, this is something that is also a big part of FragDenStaat, so it might be interesting to talk about that.’

Yes, that would be very interesting. Especially because we have no access to any lawyers and it seems that FragDenStaat has a lot more access to lawyers than we do.

‘They do now have at least one lawyer that actually works for them. So this is new and cool and maybe actually, yeah, that can be used for that.

Ok. It doesn’t look like there are any other questions. So, I would like to say thank you again. I really enjoyed the presentation. I think this was a very good first iteration of our remote OK Labs. Yeah, thank you Lorenz and Benni for the presentation and all the work you’ve been putting into this. And I’m looking forward to hearing more and working together with you in the future.’

Yes, if you can get us in touch with people from FragDenStaat, please do.

‘Yes, definitely. They are also in our Slack. I’ll just create a channel so that you folks can talk. I think this is a very good idea.’

Cool. Ok. Thank you for inviting us!

‘Thank you very much. And for everyone else: We will probably come back in mid-june with our next expert talk. It’s not clear yet which topic that is going to be but it’s going to be another interesting open data or open-related topic. If you have any ideas for that, also please get in touch with us and make a recommendation there.
Well, thanks everybody. I hope you still have a good evening and hope to see some of you again next month.’