Are WeAreDavid the proxy holder of the requester?
The inquiries you receive from your customers using WeAreDavid are a direct inquiry to you. Your customers have actively chosen to use the WeAreDavid service for insight in the personal data that you may have related to them. WeAreDavid is not a proxy holder and does not enter into the dialogue you have with your customers. WeAreDavid is a communication channel that opposite to email or other unsafe channels is secure and encrypted. It provides the environment designed for the exchange of sensitive personal data.
I need further information to identify the requester
If you have doubts about the identity of the data subjects, you can begin by asking questions relating to the information on a given data subject, you have registered in your systems. This way you ensure, that the data subject is, in fact, he or she, whom they claim to be. We recommend using the WeAreDavid Service Desk for this. The solution is a free or paid service depending on your demands and ensures a great customers experience.
Where can I find the requester's contact details
For security reasons, no direct contact data on the subject is part of the request mail. This information is available behind a login found in the mail by the data subject. This minimizes both parties for critical exposure in case of mail data breach and prevents personal data to be present in emails that complicate data extraction later on. For the data subject perspective, this security level also prevents exposing personal data to anyone else than the invited companies.
Does WeAreDavid use two-step email authentication?
Not yet. We are working on it but for now, you have to make the additional steps to secure the true identity of the data subject just like you do from any other source.
Can we reply to the requester outside the WeAreDavid platform?
It is, of course, your choice if you want to use the WeAreDavid Service Desk for replying. We respect that you may find other communication channels more convenient for replying. But you have an obligation as data holder under Articles 15 to 22 - "the controller shall facilitate the exercise of data subject rights under Articles 15 to 22", cf. art. 12(2) of the GDPR. for you to we have made available to you, which you can use free of charge, or if you want to run the communication through other channels.
What is the price for using the WeAreDavid Service Desk
Depending on the company needs the prices for WeAreDavid Service Desk varies from freemium to paid subscriptions. Any company no matter size, branches or technical skills can participate. Find out more here
Is WeAreDavid is legally authorized to manage requests?
WeAreDavid obtains from its users to act on their behalf is legally valid and binding. In particular, we emphasized that no written authorization is required and that the authorization is validly given by electronic communication. It is limited to requesting information on the processing of personal data from companies actively selected, and requested. So a legal obligation under applicable data protection laws such as GDPR.
Some companies are unsure if the request is legitimate
WeAreDavid has provided all companies listed in the app with an initial service announcement detailing how our service works and has offered to provide more information upon request so that companies have the possibility to verify that every single request is legitimate.
Can we ask for a copy of personal ID?
Companies requesting copies of government-issued photo IDs for verification purposes are acting against the guidelines issued by the Working Party 29 of the European Union, which state that if the legal identity has not been validated before, "such verification may not be relevant to assess the link between the data and the individual concerned, since such a link is not related to the official or legal identity. In essence, the ability for the data controller to request additional information to assess one’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data requested.”
If you as a company has not verified a government-issued photo ID when obtaining personal data (e.g. when registering for an online account, subscribing for a newsletter, signing up for a loyalty program etc.), then a company has no equivalent basis for comparison, and such a request is neither required nor legitimate. Furthermore, asking for emailing copies of government-issued photo IDs in an insecure way that exposes both you and the company to unnecessary risks of identity theft.
Are we obliged to respond to requests?
Companies which control personal data are considered "controllers", and Article 12(4) GDPR explicitly states that "if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy."
Every company decides for itself how it wants to treat its customers and their requests, so it is up to the customers to decide how such company behavior changes the relationship, and whether this is a reason to distrust them and maybe even seek for competitors.
What if the requester is not an EU resident but would like to know how we are using the person's personal data?
Depending on the applicable data protection regulation you might not be entitled to respond to this request. It is up to the individual company to decide if and how you respond to the request and if you want to treat non-EU residents different from EU residents. We see actions around in a number of countries that are preparing to adopt the same data privacy legislation like the one in EU.
Can we use WeAreDavid to ask for consent?
Sure. When you receive a request in the WeAreDavid Service Desk and share the data requested, you are fully allowed to ask the requester for consent to keep the data and maybe also have the requester confirm if the data you have is updated.
What happens if we refuse, or we are unable to answer the requester?
If the requester is an EU resident and you refuse or/and you are unable to provide an answer to the data request, then you are legally obliged to inform the requester on his or her possibility of lodging a complaint with supervisory authority and seeking a judicial remedy directly.
Is WeAreDavid secure?
Considering the nature of the data that we are dealing with, security comes as a major priority. We follow OWASP recommendations, that are considered as industry best practices in making sure that our services are secure. We rely only on trusted providers for hosting the platform, therefore we decided to host our services on Azure it ensures high availability and offers services that verify data integrity. On every level of the data transportation, we ensure its encryption, for the sensitive data we use database encryption.
When invited to the platform by a requester you can find the Terms & Conditions before joining the Service Desk. Just use the link in the request mail or you can simply find them here:
What information does WeAreDavid store on me?
Based on your registration with us, we store your profile name, your email address, and your Service Desk role. We store your login password in a tokenized format, which means that it is not readable to us. Based on requests that you handle through WeAreDavid, we store any information submitted as answers from you in an encrypted form. The communication you have with the requester is stored and only the company and the requester have access to this communication. No one can access any of your data in a readable format because everything is encrypted.
How secure is the WeAreDavid Service Desk?
WeAreDavid maintains the appropriate technical and organizational measures to preserve the confidentiality, integrity, and availability of data. All data is handled via secure protocols and is encrypted on every level. Should a data breach happen it will be useless for the intruder since it is being stored in an unreadable format. In addition, we only store only the minimum of data required to provide our services.
What happens if we want to delete our WeAreDavid account?
We would be sad to lose you as our customer, but also make it very easy for you to do. Currently, our iOS app allows you to completely delete your account by going to the profile page and pressing “Delete account”. Android version does not yet support account deletion, so we ask users to contact the support which will help with the deletion. Please keep in mind that accounts cannot be restored back, once deleted they are gone along with the requests and corresponding data.