The aims of this assignment are:
Your task consists of the two parts described below. For each part of the assignment a separate Homework Vaults will be opened (HW04_analysis, HW04_request, HW04_response). The first task should be submitted by 23:59 on 10 May 2026 in the respective Homework Vaults in accordance with the instructions below. The second task (the analysis) should be submitted in standard time (2 weeks) i.e. 23:59 on 19 April. Both tasks shall be evaluated no later than 18 May 2026.
Contact 2 e-shops of your choice and ask them what data they specifically process about you. The request has no formal requirements, it is based on Article 15 of the GDPR. In case of enquiries with a foreign entity, you can find inspiration here: https://www.mydatadoneright.eu/ (however, please only as an inspiration = use of this tool to generate your request is strictly forbidden). Insert the request and the relevant parts of response of the given administrator (e-shop) separately into the respective Homework Vault in PDF format - HW04_request, HW04_response (please insert both requests/responses for e-shops in one .pdf file divided in two parts using some clear visual separator). If you will not receive a response from an administrator within a reasonable time (10 days), try asking again. If you don’t receive any answer even then, just submit the information about which e-shop hasn’t responded to you to the Homework Vault within the time limit.
When selecting e-shops, please consider their capacity, i.e., try to minimize the burden
(select them randomly, if possible, differently than your colleagues, also select foreign
entities, large entities, etc.). You also have the option of replacing parts of the requests
and responses (XXXXXXrequest.pdf, XXXXXXresponse.pdf) that you do not want to share
(e.g., the name of the e-shop you use, personal information about you, etc.) with strings
(AAAAA, …, XXXXX, YYYYY, ZZZZZ - as pseudonyms, but always using the same string
of characters to indicate the same hidden string). Alternatively, if you do not want to share
the e-shop response, insert a clear justification why (that is relevant in terms of the
knowledge you have gained about the legal framework for data protection). If the e-shop
you have chosen provides with option “get a copy of your personal data stored in
If there is a possibility to get the personal data in an automated way, within the HW04_response, please provide information about what dataset/data was provided to you. If you choose a Czech e-shop, it is possible to have a submission in Czech (and also the communication with selected e-shops can be in Czech).
You can get 1 point for this first part - only the wording of the request will be assessed. The response you get from the e-shop (or the relevant reason why you don’t want to share your answer) is not assessed as it is up to the e-shop.
Choose one of the two examples below and answer the questions. Enter your answers in a separate Homework Vault HW04_analysis in PDF format in the appropriate language. You can get 2 points for this second part - a correct answer including explanation is assessed.
Jste pověřenec pro ochranu osobních údajů evropského online tržiště ShopSquare.eu, které prodává elektroniku, oblečení a domácí potřeby prostřednictvím různých externích prodejců. Obdržíte následující zprávu od registrovaného uživatele:
Dobrý den, na ShopSquare nakupuji už několik let a dosud to bylo v pořádku, ale nedávno jsem si všiml spousty reklam a produktových doporučení, která jsou prostě děsivá – jako byste mě sledovali všude, kam jdu, online i offline. Chtěl bych pochopit, jak je to možné a jaké údaje o mně používáte pro tyto reklamy. Žádám vás o kopii všech osobních údajů, které o mně zpracováváte – a tím myslím opravdu všech, včetně odvozených údajů, metadat a všeho, co by mohlo ovlivnit zobrazované reklamy. Potřebuji tomu opravdu přijít na kloub. Také bych chtěl vědět, odkud jste tyto údaje získali a jak je možné, že používáte údaje, které jsem do svého profilu nezadal, nebo které nepocházejí z mého vyhledávání či nakupování na vašich stránkách. Musíte mi vysvětlit, jak vaše reklama funguje a kdo platí za tyto reklamy na šampon pro růst vlasů, které jsem začal nedávno vídat – rozhodně neplešatím, tohle prostě musíte mít špatně. Pošlete mi prosím kontakty na všechny společnosti, se kterými jste sdíleli mé údaje, zejména na inzerenty. Jo, a už nechci žádné cílené reklamy, pokud ani necílí na mé potřeby, ale jen mě rozčilují… A víte co, pokud mi nedokážete přestat zobrazovat tyto děsivé reklamy, žádám o smazání mého účtu ShopSquare a všech údajů, které o mně máte. S pozdravem, LK
Vyhodnoťte situaci s přihlédnutím k právům subjektu údajů tak, jak je upravuje https://eur-lex.europa.eu/legal-content/CS/TXT/?uri=CELEX:32016R0679 - nařízení GDPR v Kapitole III, rozhodněte o dalším postupu (otázky 1-3) a své rozhodnutí zdůvodněte za využití dané právní úpravy.
You are the data protection officer of the European online marketplace ShopSquare.eu, which sells electronics, clothing, and household goods through various third-party sellers. You receive the following message from a registered user:
Hello, I’ve been shopping on ShopSquare for a few years and it was fine, but recently I’ve noticed a ton of ads and product suggestions that are just creepy - it is like you are tracking me everywhere I go, online or offline. I would like to understand how this is possible and what data about me you use for these ads. Please provide me with a copy of all personal data you process about me, and I mean all, inferred data, metadata and all that could affect the ads, I really need to get to the bottom of this. I would also like to know, where you obtained this data and how is it legal, that you are using data I did not include in my profile or do not come from my search or shopping on your website. You have to explain to me, how your advertising works and who is paying for these ads about hair growing shampoo that I started seeing recently, I am not growing bald, you must have it wrong. Send me please contact on all companies with whom you shared my data, particularly advertisers. Actually, I do not want to see any targeted ads anymore, if they are not even targeting my needs, but just make me upset… And you know what, if you cannot stop showing me creepy ads, I request the deletion of my ShopSquare account and all data you have about me. Best regards, LK
Evaluate the situation, considering the rights of the data subject as regulated by GDPR https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 in Chapter III. Answer the questions below and explain your answer based on relevant legal regulation.
The name of the documents you submitted with the e-shop request and its response shall be XXXXXXrequest.pdf / XXXXXXresponse.pdf (upload this to the appropriate HW04_request / HW04_response Homework Vault), the name of the document with the answers to the question (assignment part 2) shall be XXXXXXanalysis.pdf (upload this again to the appropriate HW04_analysis Homework Vault). XXXXXX is your University ID number (UČO).