Once upon a time, I was sitting in on some lectures on these topics.

And I realised I should care about these things more, but that I didn’t know a lot about them - or where to get started.

In short, I could pretend that I know about these topics … but below the surface, my relation to these topics looks like this:

So, in order to understand this a bit better and dig deeper, I thought it would be valuable to go through a data request process at my local supermarket.

This would allow me to understand how larger companies deal with data and privacy, in which way legislation is being respected and how ethical these companies are with relation to my personal data.

I chose the supermarket because they probably have the most ‘everyday’ data on me. And thinking further, the potential patterns that could be spotted in my purchasing data could actually be interesting to understand my own life better.

I happen to shop, almost weekly, at Colruyt.

When my investigation started, more or less a year ago, I was very happy to find out Colruyt has a Privacy charter. In fact, it was updated yesterday - when Colruyt launched their new loyalty card.

In the “old” privacy charter, the reference to the data that was being collected was a lot more explicit than the new privacy charter. In the remainder of my talk, I’m referring to my experiences with the _old_ charter.

March 29th, first contact.

I reached out via email, referred to the privacy charter on the website and requested my personal data.

Colruyt got back to me stating that I needed to email them a copy of my passport together with a separate letter requesting a copy of my data. I thought : well this will be easy.

Being a n00b, I then made a critical mistake ..

When writing my request, I remembered something I was once thought at school : natural and legal persons. Mistakingly, I explicitly mentioned I wanted to get a copy of my data as a legal person (or rechtspersoon). Where I didn’t really think it through, and should probably not have made a mention of this at all… I got this reply:

This states that my supermarket does not need to share data with legal persons and therefore will not share anything at this point. Should I request the data as a natural person, there would be no issue in going further with the request.

A little frustration at that point was that I never mentioned anything related to a legal person or legal entity, since I only made mention of my own name and included a copy of my passport. Ah well, seems like this little mistake cause some trouble.

I mailed back and forth a couple of times between may and june 2016, requesting my data as a natural person this time. Again, wrote a letter and referred to the copy of my passport.

Weeks went by, the email conversation died.

During this time, I did force myself into the EUR-Lex maze. And I have to say, this was really interesting. I got to read the April 2016 version of the GDPR, which I didn’t expect to be so readable to be honest. I found out that it does indeed distinguish between legal entities and natural persons, something I will never forget from now on.

It did take me a while to find this, but I did discover the difference between a regulation and a directive, and got to read this in a gazillion languages, which was cool.

But I still didn’t have my supermarket data!

June 29th, I quit waiting and decided to spark the conversation once more by sending a physical registered letter. In this letter, I explicitly referred to the GDPR, since it was around that time that the updated regulation was published.

I stressed I was requesting this as a natural person, and referred to which data I was interested in (all data linked to my loyalty card).

Not too much later, I finally got my data!

Beautiful that this turned out as I expected … the only thing was. The format.

Paper. Really?

A 2cm pile of recto verso printed paper with my Colruyt purchase info dating back to january 2011.

It was what I was after, for sure. But I felt a little guilty that some spent half a pack of paper just to print my supermarket data.

(luckily it was recycled…)

At this point, I thought I fought enough to get this dataset - and did not have the energy to re-request this as a digital file.

So I figured I would attempt to … OCR all the things. And release this whole dataset online for other, real data scientists, to use.

But

My OCR skills could not handle this.

The column titles are at various locations on the pages, the thing would need to recognise columns at all time(s), etc.

Perhaps this is feasible, but at this point I didn’t get a lot further than sharing this scanned sample.

This concludes my little journey. It did show me that GDPR is something people should be aware of, ever since my interest in data privacy awareness has increased a lot - and I hope the next speakers will add on to that too!

Thanks!