Is it legal/appropriate to email a GDPR SAR to the executive team if that is the only email address the company provides?

Question

This is prompted by this question but I am fairly sure I do not have the correct answer so I am making this one.

My personal answer to "How do I get my data from company X under GDPR" is to find an email address and send a Subject Access Request (SAR). To find an email address my first step is first to look for a gdpr contact, or any other general contact email, on the contact and privacy settings pages. If that fails I search their website using something like the commands below [1]. Try the company mantioned in the other question this method failed, and this is the first time this has happened. I tried googling, and with the help of a website designed for this purpose I found a list of emails. There are none that are obviously suitable for this purpose (dpo@, gdpr@, contact@, sales@) but there are emails that match the executive team on their homepage.

My understanding is that a SAR sent to any member of the company is valid according to the letter of the GDPR. I am quite sure the company does not want to get GDPR SAR's via their executive team. In any followup the requestor may be looked upon less favourably because of this obvious inappropriate route to make a SAR. On the other hand, perhaps the company will be looked upon less favourably because they made it so hard to find an appropriate email contact.

Would it be within the letter and spirit of the GDPR to make a SAR to the executive team of a large company if those were the only email addresses on the web?

Note they do have a contact form, but email is much better for making SAR's. Partially because it takes much less time, especially if one has a template, but most importantly because it gives one evidence of the time a SAR was made in the event one reports the interaction to the authorities.

[1]

$ wget -r https://foursquare.com/
...
^C
$ find .  | xargs grep "mailto" | grep "foursquare.com"  | grep -v "jetpack" | more

Answer 1

It seems like you could take screenshots of your submissions on the contact form to retain as evidence of the SAR. And you articulate the relevant considerations quite well, only that you will not be frowned upon by the ICO or county court for submitting SAR via the means that are available. Just because they don’t like it (which you’re right; they probably won’t) doesn’t mean that it is “inappropriate,” legally speaking, or that you will be in any way otherwise prejudiced in the eyes of the law for doing it.

Furthermore you are correct that they would be reprimanded by the law for “making it so difficult to send them a SAR”. All companies and organisations who handle personal data are required to publish a privacy notice wherein the means of contacting their required designated data protection officer are indicated. If they don’t then I think they would be in breach of the GDPR.

Answer 2

A request to exercise the right of access, or any of the Chapter III rights under the GDPR/UK GDPR, may be made directly to an organisation by any means. If you have a customer service contact, you can make your request there. If they have a phone number, you can make your request over the phone. The fact that you don't prefer using an online form is not a reason to go fishing for email addresses, but it would still be valid if you sent it to an "executive" mailbox. The recipient is then responsible internally for forwarding your request to the relevant person or department.

When it comes to disclosing contact details, the GDPR requires a controller to communicate their contact details, but there are no stipulations as to what methods should be disclosed. They may simply publish a postal address, or only a phone number. Not all organisations are legally required to appoint a Data Protection Officer, but if they do, they must also publish the contact details of their DPO, which would usually be in a privacy notice.