Tinder, WhatsApp, online banking, delivery service – keeping an eye on one’s own data traces is hardly possible today. Help can be a data disclosure with companies that have stored information about us. Because we all have the right to request such information. Here’s how.
The data that companies have stored about us can easily add up to a few hundred pages. – CC-BY 2.0 Christian Schnettelker
The story of a Guardian reporter who wanted to find out what information the dating service Tinder had stored about her is currently doing the rounds on social networks. Every day, we use digital communication services or disclose information about ourselves to companies in other contexts. What we users quickly forget, the companies often store for a long time.
This was also the case with journalist Judith Duportail. In the four years she used Tinder, the company collected a full 800 pages of data about her: Facebook likes, photos from her since-deleted Instagram account, the age profile of the men she was interested in, chat logs and much, much more.
More than meets the eye
The company refused with reference to trade secrets and intellectual property admittedly to give concrete details about what the information is used for. For the journalist, however, the information was nevertheless a small step against the loss of informational control. So she learns through her information, among other things, that data-processing companies also derive information through analyses of her behavior, which she has not even consciously disclosed. Privacy researcher Alessandro Acquisti explains the phenomenon of "implicitly disclosed information."
From studying your behavior in the app, Tinder knows much more about you. It knows how often you use the app and at what times; the percentages of white men, black men, Asian men you’ve matched; what types of people are interested in you, what words you use most; how long people spend looking at your profile picture before swiping, and so on. Personal data is the fuel of the economy. Consumer data is traded and used for advertising purposes.
Request data information yourself
So it’s worth taking a look at the commercial data mirror yourself. Anyone who wants to get an idea of what information companies have stored about their own person and behavior can do the same to Duportail in just a few steps. According to European and German data protection law, data-processing agencies are obliged to provide all users with information about the data stored about them upon request.
The Federation of German Consumer Organizations (VZBV) offers a practical sample letter [doc] for requesting information, which you can easily adapt and send out. It can certainly be kept short and informal.
"In accordance with Section 34 of the Federal Data Protection Act (BDSG), I request that you provide me with the following information:" begins the VZBV directly after the salutation. Paragraph 34 of the Federal Data Protection Act makes it possible to ask both what data is stored and where it comes from, as well as for what purpose it is stored and to whom it is disclosed. Of course, if you want to know less, you can also ask for less. Setting a deadline and telling people to contact the relevant state data protection authority in an emergency can obviously be helpful, too.
For information requests to government authorities, the German Federal Data Protection Commissioner offers similar samples for download on its website. The VZBV form also contains a passage with which one can object to the use and transmission of one’s own data "for purposes of advertising or market or opinion research".
After adapting the content, the letter only needs to be provided with your own contact details and sent by post to the appropriate company.
It pays to keep at it
If you do not want to customize and send requests for information yourself, you can also use the service selbstauskunft.net use. After setting up an account, three requests for information can be sent free of charge with just a few clicks per year.
Experience shows, however, that it is not exactly easy for a company to actually obtain one’s own data. For example, they try to fend off inquirers by continually asking questions or referring to data that is accessible anyway (such as the order history at Amazon). But persistence can pay off: Even data protection rebel Max Schrems eventually started with a simple data disclosure request to Facebook.
You have tried it or have had other experiences with the data information service? Tell us about it in the comments!