Fair warning: do not cold-mail me.

When you start a new job, one of the best things is that the spam stops.

For a brief period, all mail is relevant. Truly a beautiful experience.

it’s only a matter of time before the automated mail and sales pitches start rolling in. Maybe you sign up to some service, maybe you’re added to a mailing group…

But some overzealous sales people seem to have clairvoyance, they know you’ve started at a new company, they know what email address you have…

How the hell do they know?

Well, I don’t know.. So let’s find out.

If you cold-mail me at my work email address, I’m going to reply with one of these:

Since I have not signed up for service or derivatives I am hereby requesting access according to Article 15 GDPR. Please confirm whether or not you are processing personal data (as defined by Article 4(1) and (2) GDPR) concerning me.

In case you are, I am hereby requesting access to the following information pursuant to Article 15 GDPR:

all personal data concerning me that you have stored, including any potential pseudonymised data on me as per Article 4(5) GDPR;
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.

In case you are also processing anonymised data concerning me, please not only inform me about that but also explain the procedure used in an easily understandable way.

If you are transferring my personal data to a third country or an international organisation, I request to be informed about the appropriate safeguards according to Article 46 GDPR concerning the transfer.

[Please make the personal data concerning me, which I have provided to you, available to me in a structured, commonly used and machine-readable format as laid down in Article 20(1) GDPR.]

My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

As laid down in Article 12(3) GDPR, you have to provide the requested information to me without undue delay and in any event within one month of receipt of the request. According to Article 15(3) GDPR, you have to answer this request without cost to me.

I am including the following information necessary to identify me:

Name: Jan Harasym

Employer: Sharkmob AB

Email address: REDACTED

If you do not answer my request within the stated period (1 month), I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.

Thank you in advance.

Yours sincerely,

Jan Harasym

A copy of this goes to my legal team..

Any responses I get will be posted here.


Now read this

Harasym’s Law

Disagreement with complex or opaque systems will be refuted with the claim that the only alternative is bash scripts. # Examples: In arguments against Kubernetes: “Docker and Kubernetes have a high price as they add a lot of complexity... Continue →