The GDPR letter from hell

This GDPR letter is a worst case scenario of someone making a GDPR info request under the new regulations.

We recommend studying it, and discussing within your organization to practice and be ready for a worst-case letter like this.

Some examples where GDPR can be used as a ”weapon” against companies is in social media outreach campaigns, a lot of users would be encouraged to send such request in order to tie up an organizations resources.

Let us know if we can be of help to prepare you for this.

Dear Sir/Madam:

I am writing to you in your capacity as data protection officer for your company. I am a customer of yours, and in light of recent events, I am making this request for access to personal data pursuant to Article 15 of the General Data Protection Regulation. I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to <latest nasty cybersecurity event or thing in the news>.

I am including a copy of documentation necessary to verify my identity. If you require further information, please contact me at my address above.

I would like you to be aware at the outset, that I anticipate reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the <appropriate data protection authority>.

Please advise as to the following:

1.   Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.

a.   In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.

b.   Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.

c.   Please provide me with a copy of, or access to, my personal data that you have or are processing.

2.   Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.

3.   Please provide a list of all third parties with whom you have (or may have) shared my personal data.

a.   If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.

b.   Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.

c.   Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.

4.   Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.

5.   If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.

6.   If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.

7.   I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.

a.   If so, please advise as to the following details of each and any such breach:

                   i.    a general description of what occurred;

                   ii.    the date and time of the breach (or the best possible estimate);

                   iii.    the date and time the breach was discovered;

                   iv.    the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);

                    v.    details of my personal data that was disclosed;

                    vi.    your company’s assessment of the risk of harm to myself, as a result of the breach;

                    vii.    a description of the measures taken or that will be taken to prevent further unauthorized access to my personal data;

                    viii.    contact information so that I can obtain more information and assistance in relation to such a breach, and

                     ix.    information and advice on what I can do to protect myself against any harms, including identity theft and fraud.

b.   If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as

                      i.    Encryption of my personal data;

                      ii.    Data minimization strategies; or,

                      iii.    Anonymization or pseudonymization;

                      iv.    Any other means

8.   I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security, and more particularly, your practices in relation to the following:

a.   Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.

b.   Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal data has been disclosed, including but not limited to the following:

                     i.    Intrusion detection systems;

                     ii.    Firewall technologies;

                     iii.    Access and identity management technologies;

                     iv.    Database audit and/or security tools; or,

                     v.    Behavioural analysis tools, log analysis tools, or audit tools;

9.   In regards to employees and contractors, please advise as to the following:

a.   What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.

b.   Have you had had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months.

c.   Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.

Yours Sincerely,

I. Rate

Source: https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis

Discontinuing Skype and thirdparty chat support

As part of increasing our security and GDPR compliance for the 25th of May deadline, we will be discontinuing Skype as a method of support / chat. It is not compliant with our privacy policies. This decision has been made after talks among our board and legal department.

That is because we can not delete information fully from our side, or control which personal information is stored on Skype.

From now on, all support info should be directed to support@adminor.net to relate tickets.
For priority support, use the on-call number that we’ve provided or our business number during office hours.
Cellphone / text messages to individual technicians are not monitored for support errands and all information will be disregarded for your security.
For example, user information, passwords or other critical details that should not be sent on insecure channels.

This will be in effect until we’ve found a suitable and secure communications system for tickets as a complement to emails.

——————————————-
When contacting Adminor via Facebook or similar, please be aware of what content you send to us. Do not send personal information via the chat. There is no option for us to delete it fully on Facebooks servers.

Planned Work Notification / Driftunderhåll 2 december (UPDATE)

On the night to 2017-12-02 00:01 CET STOKAB will perform a Comprehensive planned work in Stockholm. Please note that only services in and connected through Stockholm will be directly affected by this work.
Your affected and PROTECTED circuits are listed below.

Type: Comprehensive
Initiated by: Supplier
Type of work: Maintenance
Location: Stockholm

Additional information:

Our subprovider is rebuilding a major network node in Stockholm.
They need to move 75 fibercables to accomplish this.
This is therefore a comprehensive work.
Outage for individual client circuits will be from several hours up to 7 hours.
We apologies for any inconvenience this may cause.

Affected services:
ADMINOR DATACENTER HAMMARBY
Note: Services that are marked as PROTECTED at the end of it’s row is not expected to be affected by this work, else they are affected by this work.

Earliest start: 2017-12-02 00:01 (CET)
Latest finish: 2017-12-02 07:00 (CET)
Estimated downtime: up to 7 hours

If you have any questions regarding this planned work please contact us at support@adminor.net and refer to your customer number and this work notification.

Ubiquiti trådlöst spridningsnät i glesbygd

I September var jag uppe i Norrland och installerade bynät.
Valet föll på Ubiquiti airmax länkar p.g.a. svåra markförhållanden (ägarfrågor, avstånd & kostnadsbild).
Kostnaden för mast-installationen är ungefär samma som vad ett hushålls fiberdragning hade kostat om man anlitar en professionell fiberinstallatör.
Byn förses ändå med radiolänk från kommunen så fiberdragningen hade ändå bara varit lokal.
 
Med 5G nätverk runt hörnen så är det en fråga hur mycket krut man ska lägga ned, något man får ta ställning till då när Telia räknar med att glesbyggden ska få tillgång till det (2025) och då kanske airmax också ska uppgraderas. 5G nätverk är tänkt att ge vanliga konsumenter upp till 100Mbit/s bredband via telefonen fast man säger samtidigt att fiber och alternativa anslutningar är bra alternativ. Så jag antar att de själva ser 5G som ett komplement.
Tills dess finns det ju ändå inget som stoppar individuella hushåll att gräva ned fiber till byns internetknytpunkt om möjligheten finns.
Kapaciteten i nätet är byggt så att hushåll ska kunna garanteras minst 100Mbit/s i båda riktningar vid normala radioförhållanden även när andra nyttjar bandbredd, men om behovet finns kan man få upp till 330Mbit/s upp eller ned, eller 165Mbit/s i båda riktningar.
4 sektor antenner sprider 90 grader i var sin riktning (dvs 360).
Resultatet hittills är 6 hushåll uppkopplade via airmax trådlösa länkar. 2st företag samt att minst 3 hushåll till ska kopplas upp. Byns internetuppfart mot kommunen skrämdes dessutom upp i dubbla hastigheten.
Våra egna mätningar visade att den gamla länken presterar som mest 25Mbit/s (totalt) medan den kommunlänken vi satte upp i mast klarar upp till 100Mbit/s. Det är något som man kan öka till 450Mbit/s om kommunen använder den nya generationens utrustning.
I  takt med att fler får upp ögonen för bredbandet så vill fler ansluta och då kommer behovet att finnas. Ska bli spännande att se hur det utvecklar sig.
Väder och vind är ett problem som kan ställa till det. Hård kyla och massor med snö/is på vinter, åska och regn på sommar. Heta soliga dagar med mera.
Men Ubiquiti har god renommé  samt har byggt sina grejer för att klara detta.
Kanske ökar behovet av bredband så att man sätter press på kommunen att uppgradera radiolänkarna som förser byn med uppfarten. De är trots allt 2 generationer äldre än det vi installerade för byns hushåll.

Fibre connection maintenance Hammarby Datacenter

Our fiber provider Stokab has announced service maintenance to expand capacity for KN6 / KK Hammarby .

We’re investigating how it will affect services and how we will re-route traffic.
Our datacenter providers have multiple fiber runs, and so do we.
So we will plan accordingly and update this information as soon as we can.

If necessary, we will migrate critical services to our secondary site prior to the maintenance work.

Each fiber connection should only be affected once.

——————-

Support Information from Stokab
Rebuilding of KN6 site and KK Hammarby
Stokabs site KN6/KK Hammarby will soon be rebuilt in order to increase capacity. Those of you receiving this information will, in one way or another, be affected by this move.

The rebuild will be carried out in several stages within Stokabs service windows starting at the middle of October 2017.

Stage 1
In Stage 1 fibre connections will be redirected and customers will be notified in advance. Fibre connections will be redirected during several service windows but any specific connection will only be affected during one of the service windows.

Stage 2
During Stage 2 cables containing fibre connections that were not redirected in Stage 1 will be re-spliced. All cables will be clipped and spliced during the same service window from 00:00-07:00.

These fibre connections will only be affected by one outage, so if your connections were already redirected then you will not be affected by Stage 2.

The timeline for Stage 2 has not yet been decided but the preliminary date is set to December 2, 2017.

All affected customers will be notified by email according to normal procedures.

Sincerely yours,
Stokab Driftavdelning/Customer Networks Operations