The Right to Erasure is not absolute. A Controller is allowed (or even required) to keep some of your data in many cases. There are situations where the Right to Erasure doesn't apply at all. It's very easy to imagine a company complying with GDPR and still doing what they described to you (it's still possible they're non-compliant, but there's nothing in the reply that raises a flag to me).
A lot depends on the original Legal Basis for processing. You haven't given us enough context to guess what that is. If the data was originally obtained under the Legal Basis of Consent, then they have to nuke the data from orbit, with a small number of exceptions.
If the data was originally processed under a different legal basis, such as Performance of Contract or Legitimate Interest, then the Controller has a lot more leeway to claim they still have grounds for processing that data. They key phrase is "Overriding Legitimate Interest"--fancy legal talk for "it's really important, more important than your privacy." There's a lot of wiggle room, but fraud detection is explicitly called out in GDPR as an example of a valid Overriding Legitimate Interest. The "responding to questions or complains" is I guess something that they're considering an Overriding Legitimate Interest? That's the only part of their reply I would consider grey.
The Right to Erasure has explicit exceptions for when retaining the record is required by law, which is the "legal, [or] regulatory... reasons" they told you. The Right to Erasure also only requires taking *reasonable* steps to delete data--by and large, people take this to mean that they don't have to edit back-ups (but they do have to take steps that your data is not revived if they restore from said back-ups). This would be the "technical reasons" they mentioned in their reply.
The fact that they said they're keeping a "copy" implies to me that even for the data they're retaining, they're taking it out of their main systems and only keeping it in a restricted set of systems. This is good practice.
https://gdpr-info.eu/art-17-gdpr/
(This assumes that GDPR even applies. You are in the European Union, yes?)
tl;dr Based on the limited information you've provided, I don't have a good reason to suspect that there's a GDPR violation going on.
(As always, don't take legal advice from randos on the interwebs, especially ones who are neither lawyers nor European.)
35
That is a really good and thorny question. The GDPR does definitely not outlaw credit agencies, but it does contain some rules that regulate them (for example, rules on automated decision making in Art 22, which does have some exceptions…).
The GDPR requires that any data processing is done transparently, and requires that all processing has a legal basis. Consent is one such legal basis, but not the only one – a notable alternative being legitimate interest. However, in many situations where a financial institution would share data with or request data from a credit agency, they do ask for your consent first (at least my experience in Germany).
Transparency is a bigger issue. Article 14 regulates information that must be provided to the data subject if data wasn't collected (directly) from the data subject but from somewhere else. It is possible to argue that many data subjects have not effectively received this information, it is also possible to argue that the agencies have made their privacy policies available online for everyone who is interested.
I think this will be an interesting aspect to watch over the next couple of years of GDPR enforcement…
12
This is not a purely household activity, since the group is being used to communicate between the kindergarten and the parents, i.e. a business and its clients. While the group may not be public in the sense that anyone could join, it is not private either.
So yes, GDPR is quite relevant for that group. Likely, the kindergarten/group admins are a joint controller with Facebook.
However, GDPR is likely not the correct avenue to address these pictures. While pictures can be personal data (in particular, if the kid can be identified through these pictures), there are usually more specific laws about pictures, for example personality rights. That the kindergarten is photographing a kid is by itself troubling, even more so photographing a *naked* kid.
But it would be up to the parents of that child to do anything about it. Your rights have not been violated. You have no standing to make a complaint. Your only options are outside of the legal system, for example applying pressure on the kindergarten to tighten up their policies by raising your concerns with the parent's council in the kindergarten, and lobbying other parents to also raise their voice.
12
> I would like to be deleted from and according to the gdpr I have that right, right?
The Right to Erasure is not absolute. They can keep your data if they have an overriding legitimate interest, such as fraud detection, or a legal requirement to retain records. A Right to Erasure request will probably result in *some* data being removed from *some* systems, but not an across-the-board deletion. In some cases a service could legally decide that there is no legal basis for the request and that they don't have to service it at all.
Contact info for exercising your rights as a data subject should be in each service's privacy policy. Contact info may or may not be in the form of an email address. In theory, servicing a Right to Erasure request may require using an online form either to go through the regular authentication flow, or to pull necessary information out of cookies, or something like that. The particulars will depend on the service.
The relevant part of GDPR that you would want to invoke is [Article 17, the Right to Erasure](https://gdpr-info.eu/art-17-gdpr/). Individual services are allowed to request more information in order to locate relevant records or verify your identity; it's probably unwise to put that info into the initial email.
11
If her name legally changed then you are wrong, her password is out of date and she does need to get it corrected; here it is from the UK gov directly - [https://www.gov.uk/changing-passport-information](https://www.gov.uk/changing-passport-information)
You're in the wrong here.
This has nothing to do with GDPR. Airlines are required by law to record the name on the official document, if the official document is incorrect, that is your problem, not there's.
9
> allow freeloaders to use your site for free
Yes - this is how the internet works. You can put up a service, but the current standard is that if someone visits a site it's free.
Also, there's a basic GDPR misconception here. If you use your data to make a chart showing that your product is mostly used by old people, then that's fine. If you use your site about cats to advertise cat-toys then that's also fine.
It's when you pull out someone's address, and then their Facebook page, and start targeting them with reminders about their private browsing history, then that's illegal. And saying to someone they're a 'freeloader' because they don't want you to grab data on what lube they're buying and then sell it to people, along with identification, seems pure petulance.
7
> HTML is not a presentation format.
You're wrong, but this is the sort of thing you might say if you didn't think something through.
> It is a structured sematic language
Now this is blatantly false. Nobody could contrive to say this without acting in bad faith.
> scientific papers transmitted between labs
Have you ever seen the source code of scientific papers? They are almost exclusively written in LateX, or other languages/formats for laying out things on a page. Now, scientific **data** on the other hand is shared in the formats named above (and others).
> Also legal documents do not have a spirit
Another complete fabrication. Ask a lawyer. Any lawyer. Well, not lawyers who are also criminals, but, y'know, any ethical ones.
> you are either in violation or you are not.
Correct. And Valve is in violation. A lawyer alone cannot tell you that, but a lawyer and an expert witness can. Ever seen a HTML page (not an 'example', but a real one) with a valid RDF schema? Well, I have, but only when XHTML2 was still going to be a thing.
> you are talking out of your ass
God it smells nasty around here.
7
*IF* consent is the Legal Basis for processing, *THEN* it has a whole bunch of restrictions on what qualifies as consent, including being opt-in.
**But**
You don't always need consent. You need a Legal Basis. Consent is a Legal Basis. Performance of Contract is another Legal Basis, so is Legitimate Interest, and three other things that aren't as common. If the company uses Legitimate Interest as the basis for processing, then all the restrictions on consent aren't in the picture.
(When consent is not in play, opt-out is basically shorthand for exercising your Right to Erasure and/or Right to Restriction of Processing.)
6
> GDPR is being enforced starting 25th May, but it's in force already.
It was adopted in April 2016, its not "in force", and we are still in the transition period becoming enforced on 25th May 2018. Until that date the 1995 Data Protection Directive is still the primary basis for the legal requirements by each National Government, the UK for example is the Data Protection Act 1998.
6
> I can't tell much from that screen grab, but if it means you can't opt out of whatever data they want to take from you then no it is not compliant.
Seems like it is giving them that option though, by canceling their account. Any further requirement sounds an awful lot like forcing the company to do business with the person when it may not be profitable to do so. How would it not be within the business's rights to just...well...opt-out of that relationship themselves? If you're saying GDPR in fact disallows that, that is terribly draconian and seems destined for ultimate legal failure.
Related question: what if the site offered both the option to delete their account, or they can opt out of data collection and pay a tiered membership fee based upon which data collection they opt out of? Surely the EU cannot force a company to interact with customers with no sufficient quid pro quo to remain in business. This would kill media sites.
6
That is not entirely true. If you can keep it or not depends on what the purpose of keeping it is, and what legal ground that purpose is based upon. E.g. if you keep some of the info for accounting purposes because you are required to do that by law that is fine, but if you keep it just in case you might need it for something at a later stage, that is not ok.
6
The passport is not out of date, it has another 8 years on it I think. Also technically there's no legal requirement to update your passport when you change your name, you're still allowed to travel with it until it expires - you just have to make sure your airline tickets are booked under the same name!
6
There's a lot of confusion and disinformation out there on this topic as the replies to this thread can attest to. The ICO have a great resource [here](https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/) and the commission [here](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm).
The requirement for consent to set a cookie (or retrieve information from a user's computer) is outlined in the ePrivacy Directive. Note that the ePrivacy Regulation is the update to the directive which is not yet in force. As this is a Directive, local laws may subtly differ. There are however a number of exemptions which is why the ICO do not need your consent for the cookies they set.
The standard for consent is set by GDPR: prior specific, informed, freely given etc.
Note that this is not a lawful basis argument. This is in addition to the consent requirement set out above, although many rely on consent since Facebook and Google have been mandating this as a requirement.
That's why CMPs are a thing now. The problem is most are non compliant as they do not conform to the high standard for consent set out in GDPR.
6
"The law, combined with parasitic no\-win\-no\-fee legal firms, puts website owners at risk of vindictive reporting"
WRONG
5
"Young websites and non-profits cannot afford legal teams. Therefore the risk posed by GDPR is unacceptably high."
This is so true and sad.
5
*From what I understand as a non-lawyer*
The processor is also legally obligated to follow the GDPR. If the controller instructs the processor to follow instructions that may be unlawful, the processor is not off the hook.
The processor should engage qualified legal counsel, not take legal counsel from the controller nor from random people off of the interwebs.
5
Totally out of my depth with this one, but in the name of pursuing an open discourse, Article 13 (1) seems to suggest that the same rights granted under GDPR are preserved in PNR directive 2016/681 (see [https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0681&rid=4](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0681&rid=4)) albeit under a different directive. The directive cited in that document seems to have been superseded by directive 2016/680 - "on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA" (see [https://eur-lex.europa.eu/eli/dir/2016/680/oj](https://eur-lex.europa.eu/eli/dir/2016/680/oj)).
​
Section 40 says - "Modalities should be provided for facilitating the exercise of the data subject's rights under the provisions adopted pursuant to this Directive, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and restriction of processing. "
​
I've not got time to go through that document with a fine tooth comb right now, so there may well be another point in there which invalidates what I've found in my quick 2 minute search. I'll take a closer look tomorrow!
​
​
5
'PII' is an American legal term. The GDPR uses 'personal data'. Take a look at [article 4](https://gdpr-info.eu/art-4-gdpr/) to see how 'personal data' is defined.
Not all European personal data is protected. Organizations that do not market to Europeans in any way do not have to follow the GDPR. Take a look at [article 3](https://gdpr-info.eu/art-3-gdpr/).
Perhaps reread my comment if you think I claimed that it only applies to European organizations.
The right to be forgotten is not absolute. An organization might still have a valid reason to keep the personal data. Take a look at [article 6](https://gdpr-info.eu/art-6-gdpr/) and [article 17](https://gdpr-info.eu/art-17-gdpr/).
4
"Hi again! Thanks for writing in about this. I'm afraid we can't grant the request you are making. I have to refer you to our privacy policy which may shed some light on what we do with user data. We are also unable to control how user data such as post submissions, usernames, and comments may appear on search engines. Deleting these things before deactivating one's account helps to lower their relevancy on searches, but we cannot provide more help in that regard.
Please let me know if there is anything else I can clarify for you. Thanks again!"
And my reply
"My understanding is that, as an EU citizen, I have the right to be forgotten under the GDPR regulations which Reddit must comply with irrespective of your privacy policy.
I am explicity stating that I no longer give reddit permission to store, handle or process any data related to me, my account or my e-mail address.
I am going through the process of using shreddit to systematically edit, and then delete all my posts however I am withdrawing consent from Reddit to be a custodian of my data.
Happy to e-mail this to the legal team if more appropriate and CC my DPA.
Thanks"
4
**Scenario:** Alice writes to Bob on FB Messenger: “Sarah Subject's phone number is 01234”. Alice and Bob are using FB Messenger for personal purposes only. Can Sarah Subject exercise her right to be forgotten under GDPR Art 17 to get that message deleted or redacted since it contains her personal data?
I'm using “Facebook Messenger” as an example, but this scenario applies identically to any other messaging service.
**Analysis**
Sarah cannot exercise this right against Alice or Bob since the GDPR does not apply to purely personal activity between Alice and Bob (Art 2(2)(c)).
Sarah may be able to exercise Art 17 against Facebook if she satisfies one of the conditions in Art 17(1).
- (a) the data is no longer necessary for the purpose for which it was collected. Does not apply since FB collected this data for the purpose of facilitating communication between Alice and Bob – and that purpose still holds.
- (b) withdrawal of consent. Does not apply since processing of this data was not based on Sarah's consent.
- (c) objection under Art 21.
- (d) unlawful processing. Does not apply.
- (e) legal obligation for erasure under EU or member state law. May or may not apply, but is out of scope for the GDPR.
- (f) the data has been “collected in relation to the offer of information society services” under Art 8. This article only applies to children.
Art 17(2) applies if the data has been made public, which is not the case here.
Art 17(3) lists further cases where FB does not have to comply with erasure requests, importantly 17(3)(a) freedom of expression.
So the only point that could apply is if Sarah objects to processing under Art 21.
- Art 21(1) provides a general right to object, though this right has to be weighed against other interests. This right only applies when the processing was based on Art 6(1)(e) or (f). Art 6 lists what can be used as a legal basis of processing. Item (e) is public interest, which doesn't apply here. Item (f) are “legitimate interests pursued by the controller or by a third party” though these interests have to be weighed against the subject's interests.
- Art 21(2) only applies to data that is processed for marketing purposes. Doesn't apply here.
**Conclusion:** Sarah Subject may request deletion of personal information in exercise of her rights under Art 17 …
- either if there is some other law requiring deletion (Art 17(1)(e))
- or by exercising her right to object to processing under Art 21 (Art 17(1)(c))
- because the legal basis for processing this data is legitimate interest (Art 6(1)(f))
- but only if her interests outweigh the interests of Facebook, Alice, and Bob.
This can vary on a case by case basis. Without further context, I would expect Alice and Bob's interest in the integrity and privacy of their messages to outweigh Sarah Subject's interest in getting all personal data deleted.
4
> Basically the biggest issue with GDPR, as far as I can see, is that it raises the "legal temperature" to levels that only a large, well-funded organization can withstand. It makes it prohibitively risky to have an online presence without constant access to quality legal counsel of the kind that small players can hardly afford.
It depends how the regulators behave, and based on how they have based in the past they are going to be attempting to get you to be compliant, rather than slapping you with fines.
So real-world, in the UK I would expect the process to be something like
1. Company receives a complaint from user
2. Company talks to host about a fix - if it judges there is a genuine problem and tells user what remedy is being put in place
3. if unsatisfied user complains to regulator
4. regulator takes a view and if there is a problem, contacts company (and possibly the hosting company) with formal guidance on what they are doing wrong
5. Company makes a decision whether to bale on host or fix
6. or company does nothing and risks a fine.
7. If fined customer fined, hosting company loses lots of customers jolly fast.
4
Ah wasn't that definitive. It was more like I painted a scenario ( a hat seller in Denver who happens to get a sale from an EU subject priced in $ and no EU content/marketing etc) would GDPR apply?
Basically was "NO" but " the onus is on the business to decide whether GDPR applies in any situation". There was a bit more after that but the essentials are -
What it means that if you are a business, selling away and delivering worldwide and happen to get sales from EU subjects, then provided you are not profiling, storing in EU, marketing directly etc then you're clear. It doesn't apply.
In a way this makes sense. Otherwise every small (mom and pop) non EU web site or business anywhere would refuse to do any business with anyone in the EU because of the added legal complexity. This way means they get on minding their own business.
4
IF it was not you, they also have to protect PII of that other unauthorized user, as an IP IS personal information. Exposing this other IP IS a breach, not of YOUR privacy but of that other person.
Now if they receive a court order to release that information, they will have to comply, as they will have a legal basis to communicate that information.
4
That's a much more tricky case. I'd assume that here the GDPR household exception would apply. However, I could see a judge deciding that case differently. If GDPR applies then solely because a website or app is involved. If the possibly-breach had been communicated in person or over telephone, the GDPR would definitely not apply: the GDPR only applies if there is automated processing or if data is stored in a “filing system”.
Again, the GDPR is likely not the best way to approach this issue. General personality rights or things such as defamation might be more useful legal instruments.
Of course, legal discussions about a kindergarten group are probably way out of proportion.
4
Yes basically if they need to keep it.
You would probably have to give examples of the kind of data they have.
Generally speaking though certain data like financial transactions such as purchasing something with your card and making an online account with the vendor they may be required by law to keep the data of their customers for a set amount of time (often around 7y). Mostly so the tax people and the law can make sure you or the company are not doing anything shady.
I mean imagine using a stolen card to order products to your address and once it arrives demanding them to nuke your data. They would be facilitating a crime to do so as well as breaking their own legal obligations to keep that data like your billing address and so on.
Responding to queries does not seem like something that would be automatically covered but most of their other reasoning is sound.
4
Yes, unless you have a legal basis on which the company's rights outweigh the data subject's (e.g. contract, legal obligation)
Edited to add: where someone wants to be erased you need to bear in mind other data subject's rights, so redaction might be used where the organisation needs to record the circumstances of, say, an email exchange but not all of the recipients' details.
4
... this is exactly how it works, the precedent you used rely on a text that was modified by the GDPR, thus the precedent lost it's legal base, and would it happened today, based off the new text, the solution would be different.
3
(2)
>‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(7)
>‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8)
>‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Source: [Art. 4 GDPR Definitions](https://gdpr-info.eu/art-4-gdpr/)
3
(I am also not a lawyer) You can track people if you have a Legal Basis for tracking them. Consent is one possible Legal Basis, but there are 5 others you could invoke instead. Legitimate Interest is probably the one you would reach for.
3
* Why does a school even hold medical information? Per Art 9 health data is a special category of personal data, and may not generally be processed except under some narrow exceptions.
* There are likely more specific legal requirements than the GDPR to consider for medical records, this will depend on the law in your country. I would strongly suspect that these laws require doctors etc to be identifiable.
* The GDPR does not necessarily apply in the context of employment as member states may pass more specific laws. So it depends on the laws of your country to what degree a doctor has privacy rights for doing their job.
* The personal data released for a DSAR “shall not adversely affect the rights and freedoms of others”. If no more specific rules apply to the records and the data controller concludes that keeping the names would adversely affect the doctor's rights, then the names must be redacted. I think it is very rare that someone's name could be redacted just for doing their job, unless that information being known would put them at risk. So while I would understand such redactions for police officers that may be at risk of retaliations by violent criminals, I don't think that would apply to doctors.
* In conclusion, you should likely keep the doctor's names.
3
**Personally identifiable information**
Personal information, described in United States legal fields as either personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. The abbreviation PII is widely accepted in the U.S. context, but the phrase it abbreviates has four common variants based on personal / personally, and identifiable / identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. (In other countries with privacy protection laws derived from the OECD privacy principles, the term used is more often "personal information", which may be somewhat broader: in Australia's Privacy Act 1988 (Cth) "personal information" also includes information from which the person's identity is "reasonably ascertainable", potentially covering some information not covered by PII.)
European and other data protection regimes, which centre primarily around the General Data Protection Regulations, the term "personal data" is significantly broader, and determines the scope of the regulatory regime.
***
^[ [^PM](https://www.reddit.com/message/compose?to=kittens_from_space) ^| [^Exclude ^me](https://reddit.com/message/compose?to=WikiTextBot&message=Excludeme&subject=Excludeme) ^| [^Exclude ^from ^subreddit](https://np.reddit.com/r/gdpr/about/banned) ^| [^FAQ ^/ ^Information](https://np.reddit.com/r/WikiTextBot/wiki/index) ^| [^Source](https://github.com/kittenswolf/WikiTextBot) ^]
^Downvote ^to ^remove ^| ^v0.28
3
> ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
I understand that here you do have access to the data, it's just that you are not processing it yourself. You collect it using the SDK and then you decide that its purpose is to make ads targeted, sending it using the SDK also to be processed. If that's true then you are the data controller.
If you are not sending through you app any data to google then you don't need to comply because the personal data is collected and processed by google but I believe that's not the case.
3
> Here is the transcript from our account. I get that a company can rely in legitimate interests but it doesn't seem right that they still have an opt-out to me?
GDPR's requirements around opt-in vs opt-out only apply when Consent is the legal basis. If Legitimate Interest is the legal basis, then none of those requirements apply. It would be polite and moral for a company to use opt-in under those circumstances, but it is not a legal requirement. In effect, opt-out is a way of exercising your Right to Object or Right to Restriction or Processing, rather than a requirement for the legal basis of the processing.
3
1) it's not correct to say that the representative "should be in the country where you have the greatest exposure ". The representative just needs to be in an EU member state where there are data subjects. It might be good common sense for the representative to be the country with the main establishment but that's not a requirement.
2) On language, there is no legal requirement for the representative to be able to communicate in the given language but I'd suggest it's a good idea. For example, if nearly all of a company's EU business is in France, it's surely helpful to appoint a representative who can communicate in French. (But no, it's not a requirement)
3) It's true that "occasional" is not defined. Similarly "large-scale processing of special categories" is not defined either. (How much is needed before it becomes "large-scale"?) I guess we're waiting for some clarification from the EU or a regulator or some actual legal cases. BTW the word "occasional" appears throughout the GDPR text. It's never defined anywhere. Standard advice is to conduct a risk assessment, a DPIA, consult with legal team and document accordingly. And in my view, err on the side of caution.
4) In my view, it's only ONE representative that's required although you will find articles online arguing that multiple representatives are required based on some very odd reading of the text. I don't agree with such views at all. I think the regulation is pretty clear that it's just one representative but I don't think the regulation prevents you appointing more if you so desire.
Generally, when it comes to Representatives, it's a somewhat uncertain area because it's all so new. I wouldn't step too far into without legal advice.
2
And tell me, how will the EU make a US company go out of business? You really think that the US courts will help enforce this bad of a law? Believe it or not, there is still some sensibility in the US court system. Anything that's this much of a threat to online innovation would not be enforced. It would go against US Communications Decency Act 230, and if anything, is a threat to the freedom of speech (with the right to erasure). I think that over time, case law will show that the law does not follow the consumer. Same idea as a US resident going to a Canadian bar. Does the US legal drinking age apply to that Canadian bar? No. Do the US constitutional rights such as the 2nd ammendment apply to US citizens travelling in Germany? No.
This totalitarian law will have absolutely z e r o enforceable impact on American companies that have no buildings in Europe. The only reason Facebook, Microsoft, etc are following it is because they were forced into it when they added an Ireland headquarters to evade high US taxes. And now we see where that got them, stuck in the middle with these totalitarian laws.
There needs to be a balance between protecting innovation and the light-touch framework of the internet, and protecting *actually sensitive* (bank accounts, ssns, etc) information. Totalitarian laws like the GDPR breach both the boundary of that light-touch framework balance, as well as a good small definition of what sensitive information actually is.
There is a huge problem when you have laws like the GDPR and governments like the EU trying to be that much of a threat to foreign companies. If you don't like a service, don't use that service. There's a reason that I don't use Skype. But I'm not going to want to force all sorts of laws on Skype because I don't like them.
2
"A LEGAL PRINCIPLE **ANY COMPANY THAT IS BREAKING THE LAW CANNOT DEFEND THEMSELVES AGAINST THE LAW THEY ARE BREAKING."**
Excuse me?
2
"The Data Protection Act is already set up to accommodate Brexit and replaces all of the references to EU organisations and bodies in the GDPR with their UK equivalents."
I'm not sure what you mean by accomodates Brexit.
References to the GDPR appear 758 times. It does not so much stand on it's own but references EU law in a lot of places.
The ICO explained it like this:
[https://ico.org.uk/for-organisations/data-protection-act-2018/](https://ico.org.uk/for-organisations/data-protection-act-2018/)
"What is the difference between the DPA 2018 and the GDPR?
The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side.
[http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga\_20180012\_en.pdf](http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf)
Just starting at the beginning will show it refers to multiple European laws:
"“The data protection legislation” means—(a)the GDPR, (b)the applied GDPR,(c)this Act,(d)regulations made under this Act, and(e)regulations made under section 2(2) of the European Communities Act1972 which relate to the GDPR or the Law Enforcement Directive.(10)“The GDPR” means Regulation (EU) 2016/679 of the European Parliament andof the Council of 27 April 2016 on the protection of natural persons with regardto the processing of personal data and on the free movement of such data(General Data Protection Regulation).(11)“The applied GDPR” means the GDPR as applied by Chapter 3 of Part 2.(12)“The Law Enforcement Directive” means Directive (EU) 2016/680 of theEuropean Parliament and of the Council of 27 April 2016 on the protection ofnatural persons with regard to the processing of personal data by competentauthorities for the purposes of the prevention, investigation, detection orprosecution of criminal offences or the execution of criminal penalties, and onthe free movement of such data, and repealing Council Framework Decision2008/977/JHA."
Very much refers to European law and does not stand on it's own, you could look at almost any page:
"21Processing to which this Chapter applies(1)This Chapter applies to the automated or structured processing of personaldata in the course of—(a)an activity which is outside the scope of European Union law, or(b)an activity which falls within the scope of Article 2(2)(b) of the GDPR(common foreign and security policy activities)"
2
"This status code indicates that the server is denying access to the resource as a consequence of a legal demand."
I dunno. It's not a legal demand. They are choosing to to avoid issues, the RFC seems to suggest it's when you are forced to for legal reasons. Seems like a grey area.
2
(From a position of ignorance - not read this updated guidance and I've largely ignored the GDPR stuff in as far as it goes for CCTV - having installed stuff prior to May and followed the old CCTV code of conduct, but for encryption - an encrypted file system may be a simple shortcut if you're using a non-proprietary system. (And do those proprietary systems comply with GDPR?)
Privacy expectation possibly is not relevant: If people can be identified from the images, then it is personal information and the electronic storage of it would seem to gel with the GDPR principles. (That said, I have no idea how crowd scenes on TV or news footage works)
Lots of things about GDPR are still up in the air. Much guidance is ultra careful until precedence is established. I think the main trick is to keep your head down and not be the case that forms said precedence. ICO did say the first year of GDPR was not going to be one of prosecution - more of guidance and adaption as everyone gets in line. I'd guess that most companies are still not fully compliant at every level.
For the legal - is it not said that if it is writ large - then it must be done, or thy arse will not be covered?
(That said, the ICO's site is generally fairly clear)
2
(I am not a lawyer and this is not legal advice.)
Basically, as already answered somewhere else here, you are neither a data controller (ie your customers) nor a processor (the webhosting company). Now, if your company provides hosting services, then you become a data processor. In that case, your contracts with them should be revised, and includes the mandatory clauses required by GDPR. As a processor, you will be held responsible if you don't comply and ensure that your contracts with your customers cover the required contractual info protecting personal data.
2
(I am not a lawyer)
I think the relevant part of GDPR is [Article 13](https://gdpr-info.eu/art-13-gdpr/), section 3. This covers the scenario of "I collected data for one purpose, and I want to use that data for a different purpose." Basically, you have to notify the data subject what you're doing.
If you've read around the internet for discussions about GDPR, you may have seen the phrase "consent is specific." Now, if you're using Legitimate Interest as your legal basis, you're not dealing in consent, but the same idea still applies to other things. The rights of the data subject are *specific to the use of the data*. When a user consents to you collecting their address, that consent is only valid *for a specific purpose* and other uses are not ok. The data subject has other rights, like the Right to Transparency: they must know what data you collected from them, what you're doing with it, and what rights they have. And the Right to Transparency is *also* specific: the data subject must be informed not only of what data was collected, but what purpose it is being used for.
You fulfilled the data subject's Right to Transparency when you provided them with a Privacy Policy when you collected their data (you did, right?), which explained what you use their data for. If you use that data for something not covered in that policy, then you violate the data subject's Right to Transparency. The solution is to be transparent: take reasonable steps to make the data subject aware of new processing that you are doing with their data.
This is assuming that the new processing is otherwise on the up-and-up, like having a valid legal basis and whatnot. Since you mention Legitimate Interest, someone's probably thought about already so I won't weight in. If either the original or new processing activity is based on consent, things probably get sticky.
2
(IANAL)
Processing activities must be related to Business Activities. Each Business Activity needs a Legal Basis. The same processing activity may relate to multiple business activities. Processing activities can be many-to-many with business activities, but business activities are generally one-to-one with a legal basis. So to answer your question, yes a processing activity may be covered under more than one legal basis, if it relates to more than one business activity.
So in your case, you would probably need to track which email addresses have given consent for marketing emails and which have not. For emails that have not given any consent, you can still process them for business activities that are justified under a different legal basis (barring invocation of Right to Erasure or Right to Object).
You will probably need to keep track of which emails are associated with which business activities, especially if those activities have e.g. different retention policies.
Note that for the forms described in point 2), you may be able to use "performance of contract" as the legal basis instead of legitimate interest.
2
(If they offered a service, and you paid them for that service, there definitely was a contract at some point – I just don't know whether it is cancellable and whether it was cancelled.)
If you made even one payment they are legally required to store accounting records. Their right to store other data ends with the contract, but as explained it is unclear when that would be.
2
[Here's the ICO's guidance](https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/). The VAT number of a sole trader would be personal data because identifying the business is the same as identifying the person, but the VAT number of a limited company identifies a legal person.
The weird case would be a limited company with a single director and shareholder. The VAT number identifies the company as a legal person, but it's trivial to combine that with data from Companies House to identify the director. Practically, it's the same as a sole trader's VAT number. But the ICO says that data relating to a company director is only personal data when it "relates to them as an individual rather than as the representative of a legal person".
2
[https://www.facebook.com/legal/terms/page\_controller\_addendum](https://www.facebook.com/legal/terms/page_controller_addendum)
I'm interested to hear your thoughts.
2
**Questions 1:** My company ([Phusion](https://www.phusion.nl)) is an independent software vendor of about 10 people. We have a very engineering\-heavy culture. A major part of our compliance process involved analyzing our systems, and so software developers did a lot of the work. Figuring out what data our systems process, documenting these activities and thinking about whether we can improve upon anything.
**Question 2:** We didn't experience any pushback on seeking compliance. A core value in our company culture since its founding days is to follow laws properly, whether it be tax law or GDPR or whatever. We're a small company so there are no political games.
**Question 3:**
*What helped:* since my company has an engineering\-heavy culture, we've always applied what I call "no\-nonsense good practices from the point of view of a software developer". Software developers tend to be skeptical towards marketing\-y and sales\-y things and tend to care more about privacy than the regular population. We already hated things like dark patterns, adding people to a mailing list without their consent, adware and spyware, etc. It also helped that I, being a developer and CTO, am fairly paranoid about security. I am always worried about security incidents and I am always proactive in thinking how to improve security. These values align extremely well with GDPR. [At the end of the compliance process, it turned out that we didn't actually have to change much](https://blog.phusion.nl/2018/05/25/what-the-gdpr-means-for-passenger-enterprise-customers/).
It also helped that during my university days, I had taken a course on IT law. This helped me understand legal stuff better. As a startup founder, I am personally involved in a lot of contract reviewing work, so combined with the IT law course I've learned over the years how to read and approach legal documents and concepts.
*Additional challenges:* for us, I'd say none. Don't get me wrong, the GDPR did introduce new concepts and new things to learn, and learning them took a while. But I would not say they are *additional* challenges: they are challenges that were already present anyway no matter our background. But I think that for most companies who don't have a dedicated legal team, the lack of any legal knowledge would make it hard to understand the GDPR. I would recommend people to take short (IT) law courses in order to set a foundation for thinking.
**Question 4:** Unknown unknowns are by definition not knowable. :) But maybe that's not what you meant, so see my answer to question 5.
**Question 5:** We first check the definition of legitimate interest according to our local data protection authority. Then for each processing activity, we check whether the definition could be applied to that activity. If we are not sure, we consult our lawyer.
This still opens up the possibility that we've misinterpreted the definition, and that we applied legitimate interest where we shouldn't have. We plan on hiring an auditor, but they're very busy this time of the year because everybody waited until the last moment to become compliant.
In any case, we plan on being reasonable and good actors towards data subjects. Suppose we send a cold reachout email to someone we haven't had a prior relationship with (allowed according to the legitimate interest definition). If that person objects we'll simply not bother that person again.
**Question 6:** the GDPR does not apply to small\-scale private life contexts. For example having a list of attendees for your birthday party is fine. Source: [Handbook GDPR, compliance in practice](https://ictrecht.nl/boeken/handboek-avg-compliance-in-de-praktijk/).
I also don't think data protection authorities will pay a lot of attention to small/hobbyist niches as long as you're not doing anything weird. For example, in [a recent news article](https://www.telegraaf.nl/nieuws/2060904/niet-meteen-boetes-bij-nieuwe-privacyregels), the Dutch data protection authority said that they will never check "every bakery and butcher around the corner", not even if they become 3 times as big as they are now. In the beginning they will focus on other government agencies (because they should be role models) and on the healthcare sector (because of the especially sensitive nature of the data).
2
\- Yes, audio and video recordings of someone fall under personal data.
\- This depends on the use. Consent is not the only legal basis under which you can store personal data. For a movie, you sign a contract with the people in it. This includes giving the movie producers the right to use their face and such in it. That can not be easily revoked afterwards.
\- You need to comply at all times, only not for personal and household activities. Emails are personal data, yes.
\- No, if you are a small business, you do not need to hire a separate data protection officer. As the person running the business, you do need to be aware and implement the things required by GDPR in your products if they apply to you. No, blocking EU users is not the best choice. If you are not targeting EU users, you do not have to care about GDPR. So if you are a little store in the US only shipping your products in the US, you can just ignore it all.
Yes, the media is doing a terrible job at informing people and you see a lot of hyperbole, fear mongering and misinformation.
2
\(I’m not your lawyer. This isn’t legal advise.\) I’d assume the commit contribution data would be covered by the code project’s license as part of the code contribution. Open source licenses include language about the distribution of the code and project. So there is a legitimate legal purpose in storing the data.
2
\> Your post is a mess.
\> Your piece is a mess.
There may be errors but we spent two weeks researching everything that was written here and are open and available to correct specific issues.
​
\> Cookies are covered under the ePrivavy Directive (2002) and only bear the GDPR requirements for clear and unambiguous expression of consent for their use.
In no way does the post imply otherwise, please quote the exact section that you found is implying something else.
​
\> DON'T email data subjects from a mailing list to ask for consent because if you don't have any of the *six* legal bases to email a data subject then you are in breach by sending the email.
The blog doesn't say you NEED to send an email, it says you MAY have to. Still I think we should be more clear about this point.
​
\> Take it down because your article is spreading incorrect and incomplete information.
We are looking to correct anything that is wrong. I know that everything there is mostly correct because I read a lot of the laws myself straight from their source. If there are any issues we will work on correcting them with urgency.
​
\> don't give advice if you obviously have no clue of the subject matter
In no way did we do that, this is a topic we thoroughly researched by reading the laws themselves. With everything you said, I think you pointed out an areas or two that we could be more clear about but in no way is it wrong.
​
2
>
>
>Article 37 is about the conditions for processors/controllers to name a DPO.
>
>‚Äã
>
>Article 27 gives more detailed information about appointing a legal representative in the EU if processor/controller is outside of EU.
>
>‚Äã
>
>[https://gdpr-info.eu/art-27-gdpr/](https://gdpr-info.eu/art-27-gdpr/)
>
>Where [Article 3](https://gdpr-info.eu/art-3-gdpr/)(2) applies, the controller or the processor shall designate in writing a representative in the Union.
>
>‚Äã
>
>So stop talking shit. Nowhere in GDPR says that the legal representative should be the DPO.
>
>‚Äã
>
>PS: I am a certified DPO.
>
>‚Äã
>
>‚Äã
>
>Edit: Just to explain the difference between DPO and legal representative.
>
>‚Äã
>
>The DPO can't be held responsible for GDPR compliance in a company, the company itself is responsible. GDPR explicitly states this. However, according to the Article 27:
>
>The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
>
>Hence, why the DPO can't be a legal representative.
​
The law states that a DPO must exist in the European Union according to Article 37 when the certain conditions are met. Hiring a DPO in the European Union means that you have an established legal presence within the European Union, effectively creating a European Union "branch." This puts you in the enforcable scope. I never said anything about the EU going after the DPO themselves, rather having a DPO effectively gives your company an actual presence within the EU. In fact, I explicitly stated that "the European branch could be found in violation ***depending on how the transfer of data works.***" Obviously, the DPO themselves does not transfer the data, and would not be held directly liable. But having a DPO puts your company directly within the EU's jurisdiction, as you're now employing within the European Union. Are you that blind? Are you actually a certified DPO? Or do you just play one on ~~TV~~ Reddit? Or did you just choose not to fully read what I was saying?
2
> A processor acts on a controller’s written instructions
Not *quite* always true.
Where there is a controller/processor contract then it must state that the processor only acts on the controller's written instructions. Of course, where there exists a controller/processor relationship there *should*, by law, be a controller/processor contract. So you'd be quite right to say that in a legally-compliant controller/processor relationship the processor acts on the controller's written instructions.
But, of course, the law requiring something be put in place when a particular relationship exists is no guarantee at all of that thing actually being put in place when that relationship exists. A controller/processor relationship could arise as a result of verbal instructions or agreement. The fact that there aren't written instructions or a contract doesn't mean that there isn't a controller/processor relationship, it just means that both the controller and the processor are breaking the law by not putting the required contract in place.
2
> EU citizens data now has a variety of protections. If your organization has personal data of EU citizens, this applies to you.
Not EU citizens specifically but any EU resident. (According to legal advice from large organisation I work for)
2
> Her employer is not a data processor or controller.
Why not? The agreement covers situations where she would give out personal information of customers of that business. Doesn't that make the business a data controller or processor? Otherwise she wouldn't be able to learn that information.
>(8) ‘processor’ means a **natural** or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
2
Data subjects have various rights under the GDPR:
* if they *object* to further processing, their data must be marked to prevent the objected processing from happening. However, the data is still around.
* if they *request erasure*, the data must be deleted without a possibility of retrieval.
Where personal data is merely marked as deleted, that is still personal data in the sense of the GDPR and is not really deleted. So the data subject rights like access would still apply.
If a social network were to merely mark content as deleted and not include it in their responses to a SAR, that would be a pretty blatant GDPR violation – but quite difficult to prove as well.
The argument “nothing on the internet is ever forgotten” comes in two flavours:
* the service is untrustworthy and will mislead users for profit. Difficult to prove and obviously illegal.
* sharing content with other people makes it difficult to control the content, e.g. it could be downloaded, archived, screenshotted, …. This is unrelated to GDPR concerns.
If you were to make a subject access request to Google I doubt you would get your deleted emails, because I personally believe they are not *that* untrustworthy and will actually delete an email if you instruct them to through their user interface. The exception being if your Gmail account is under one their enterprise offerings, in which case any emails might be retained in your organization's Vault for compliance purposes.
2
I'm not sure if a geo-block will necessarily get a pass if brought to court.
A VPN is a perfectly legit approach for privacy interests, it's not necessarily in use for illegal purposes or to circumvent anything. In fact when the user visits your site for the first time, it may be when they're on a VPN. If the geo block was the only means of communicating a disinterest then it's really not any different for a Data Subject in this case..
A user may not even be aware of a VPN in place, but someone else in the residence had setup the VPN at the router level to protect less technical users privacy.
There would need to be other efforts to be exempt I think, but the geo-block may at least reduce exposure to users within the EU.
You could have a banner pop-up that let's the user know that you're actively not interested in EU users, or during sign-up for an account to be explicitly against EU users(in some cases you may get their consent to forego protections of the GDPR, but it's not a full waiver).
I've had a lengthy discussion about this recently, and I cannot unfortunately defend exemption from art 3.2.b like I could 3.2.a.
I looked through the GDPR fairly extensively trying to see how a business could be exempt from it, but for that particular condition, it doesn't appear that you can if you perform any monitoring / profiling that links to activity within the EU. I think recital 24 played into it. Possibly 26 and 30, hard to recall specifics off top of my head.
If there is anything in the GDPR you can point where that wouldn't apply that'd be neat, I don't think it mentioned if the controller's knowledge of where 3.2.b applies to a Data Subject was required.
If found in violation, you'd need to comply, else the EU can attempt enforcement via government co-operation afaik.
2
One clarification here...they are anoning the data UNLESS there is legal reason for retention (taxes, criminal investigations, business need to keep bad actors off platforms).
2
Plus a legitimate interest assessment if that is the legal basis used
https://ico.org.uk/media/2258435/gdpr-guidance-legitimate-interests-sample-lia-template.docx
2
Quoting British ICO on ePrivacy:
*In compliance terms this difficulty arises because although the person setting*
*the cookie may think that there is an inference of consent, without information*
*being given to the user, it is unlikely that they will understand that they are*
*giving any sort of agreement.* ***This remains the case if information is provided to***
***the user but only as part of a privacy notice that is hard to find, difficult to***
***understand or*** `rarely read`***. This is why the “do nothing” approach is not enough.***
*The understanding is all on the website operator’s side and the user “giving”*
*consent is unaware that their actions are being interpreted in this way. The user*
*is not informed so in the context of the Regulations, this is not valid consent.*
​
You can use legitimate interest. But...
*You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or* ***if you think some people would object if you explained it to them****.*
It is your job to justify the legal basis in the privacy policy. In my opinion it's easier to use consent.
2
Recital 24. In the context of a website where third parties display ads. The Data Controller(Website Owner) is not in the possession of any personal data for tracking or profiling a natural person. The Data Controller, makes no decision or predictions specific to the Data Subject, and in no way explicitly targets Data Subjects.
In the context of a website where third parties display ads. Anything where Recital 24 applies with the prior paragraph in mind, is specific to that ad vendor and what they do with any personal data sent from the Data Subjects browser/client to that third party vendor. Even if the Data Controller were in possession of the personal data that the third party receives, that is not something the Data Controller can use to identify a Data Subject's identity in accordance with Recital 26.
For further consideration, like an IP, an identifier while related to a Data Subject for purposes such as tracking and profiling, is not capable of identifying a natural person unless in the possession of additional information. If it's a mere cookie ID that is stored within a browser, multiple users can be involved in a single session, this cookie does not persist across browsers and other devices in such a way that a vendor can identify a Data Subject with absolute certainity without it or other information, which may then require building a new profile until that profile is a clear match to an existing profile and can distinguish that they are not representing separate natural persons.
The Data Controller in this case is not directly collecting personal information and passing that onto a third-party vendor to process, nor is the Data Controller able to identify under Recital 26 the natural person's identity. The third-party vendor is requested to serve ads, if it is tracking a Data Subject and creating behavioural profiles of personal data, they are at fault. Otherwise you might as well bring the Server provider and ISPs involved who also indirectly enable such an activity and have more data to identify a natural person than a Data Controller may in this particular case. Nor is the Data Controller to be considered profiling or tracking a Data Subject's online activity and behaviour in regards to serving ads through a third-party vendor.
Taking Recital 23 in regard, this is about websites that are clearly not targeting the EU, they are not within the territorial scope. Hopefully I have made it clear that Article 3.2(a and b) do not apply to this business example.
Further drilling into the topic, if such a website requires an account registered to utilize / interact with the service, Article 22.2(a and c) can take explicit consent from the Data Subject to reduce any protections they may have been be afforded otherwise.
Article 11.1 also makes it clear that in regards to activities such as serving ads, the Data Controller whom does not actually keep any personal data record to serve those ads, and has no involvement in exercising a Data Subject's rights, such as the right to erasure. There is no related data or requirement for the Data Controller to store any to assist the Data Subject with whatever activities a third-party is doing with data that the Data Controller is not explicitly providing to that third-party. As per Article 11.2, this can thus make the Data Controller exempt from Articles 15 to 20.
As a website business, it's also interesting to consider that the actual interaction of the Data Subject visiting a website is to receive a data payload(s) from the Data Controllers server for the given IP address that the domain name points to. From that point onwards, network requests between the Data Subject where data is exchanged/communicated, is really where GDPR is legally applicable if I'm not mistaken. Such that, if the payloads that arrive, do not explicitly contain data/content that violates the GDPR, it then falls to the network requests made on the Data Subjects side for any further ability to violate, however the responsibility of the actions being taken by third parties at that point are no longer interactions with the Data Subject and the Data Controller at hand. Just like the browser itself is merely facilitating the navigation and interaction over a network.
Do you even consider a third-party displaying ads on the website as the responsibility of the Data Controller, when the Data Controller is not serving those ads in it's initial payload, but requesting them upon arrival to the Data Subject? According to Recital 74, the responsibility and liability of the Data Controller providing that website, is not giving the third party processor/controller any data on it's behalf, merely a request to serve some ads for that domain and the data related to the Data Controller in order to request that. Any data collection by the third-party is not neccesarily authorized by the Data Controller.
I am aware that some businesses have their own marketing campaigns, where they "mark" a visitor, and as that visitor navigates the web elsewhere, they may be served ads about that business they had visited previously. That's a different topic to what I've been discussing above, one that I'm not familiar enough with to weigh on, but may also be able to utilize the information I've written about here for the GDPR to not apply to the Data Controller / website business.
For other use cases where you'd cite Article 3.2.b and the above somehow does not apply to those operating out of territorial scope, there is still Article 6.
**EDIT:** I looked into the behavioural ads thing a bit, Google requires a contract up front and defaults to non-personalized / non-targeted ads. They require consent from the Data Subject (through you providing the ability to give explicit consent and inform them to Googles own policies etc), along with you as the Data Controller having to abide by their EU User Consent policy. Without the contractual obligations requiring such though, another third-party vendor misbehaving might not make the Data Controller liable like my notes touch on above?
2
Recital 65 says:
"A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. 2In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. 3That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. 4The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. 5However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims."
Not wishing to just throw words out there, but the recital is a part of the regulation.
There's no exemption for using Gmail or Exchange 365 or any other Cloud-based email service specifically.
The redaction would potentially kick in when data subject A wants an email deleting but B wants it retained for some reason. A's information would need to be redacted. If you can find a technology that handles this, let me know...
2
Yeah... If you ship to EU I'd agree that sounds like GDPR should apply.
I wasn't able to ascertain from the legislation if catering to a global audience but avoiding any explicit targeting/treatment of the EU would negate GDPR effect via it's clauses. In which case shipping to EU might be OK, but I doubt that when acknowledging/supporting the euro currency as an option can bring GDPR into effect(there was a recital I referenced at the end of my original post which might haveade that exempt, can't recall, been reading up on GDPR past few days..).
I know that explicit EU targeting of users like testimonials from those in the EU is a big no-no if you want to be exempt of GDPR(doesn't mean you don't make efforts to implement some of the ways to better protect user privacy, just minimize legal risk / obligations).
2
You need to state legal basis for processing. For analytics, since it's really non-essential you need consent.
2
This is "kind of" what I am saying, but I have to point out several details hidden on your example, which is in fact quite good. I liked your input, so if you still disagree please tell me (GDPR is hard :P ).
For starters, of course GDPR will never be binding to an outside EU institution.This is almost by definition of the independence of countries. Also, EU nationals are free. There is no law forbidding a EU national to enroll a Japanese based course, what will happen is that the risk is his and his alone.
Now, we are talking about services being offered TO the EU directly (what I meant by "INTEND to process personal data from EU nationals" but I agree that is ambiguous). In this case I'm assuming there is at least a targeted marketing process towards EU national and probably within the EU itself.
Like any service that is offered to the EU market, it can be classified as legal or illegal according to local law. For instance, if a random country offered to sell illegal products to EU nationals, it will be illegal even if in the country of origin it is legal. But, of course, the local law has limited effect. The person will be free to go there and buy the products if he wants to.
However, to legally sell something within the EU (receive payments, establish an office, etc) the foreign organization will have to constitute a local representative within EU law. THAT local representative WILL be subject to GDPR and therefore the services it provides WILL have to abide GDPR and recital 14 which says "The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence ".
The original college can create a local representative such that the limit of its services is only to EU nationals and these services are GDPR compliant. But if we stretch it, this means creating a parallel Japanese college GDPR compliant, while keeping the original one not compliant. I think this does not make sense in general and it is also contrary to the original goal of the college which was to have more clients with the same infrastructure.
So, considering all those points and angles, I think the conclusion is YES, if you want that EU nationals enroll to your outside-EU college and you want to have a presence and market directly to the EU you have to treat ALL personal data (EU an non-EU) involved in these services with the adequate safeguards demanded by GDPR.
1
... then the Data Controller goes "I'd like to have a drink".
bartender: "Sure, can i have your Name and date of birth to see if you are of legal age?"
DC: "No, i do not consent, but i cannot see how my name can help you fill up a glass of beer, so gimme my beer"
bartender: "But the law requires i need to get your personal data first"
DC: "This is ridiculous, the law cannot force me to consent without good reason, i demand my rights to be served without consent as a data subject. "
The actors spend the rest of the play looping through this same argument. 10 minutes into the act, Albert Camus has a cameo, suggesting that they both should kill themselves.
1
“Insolvency is the legal term describing the situation of a debtor who is unable to pay his, her, or its debts. There are two primary types of insolvency: cash flow and balance sheet.
In cash flow insolvency, the debtor suffers from a lack of financial liquidity making it impossible to pay debts as they fall due. This is the type of insolvency most individuals experience prior to filing for bankruptcy.
Balance sheet insolvency, on the other hand, involves having negative net assets, where one's liabilities exceed their assets. This is the form of insolvency normally described by corporate entities prior to filing for bankruptcy.”
I’m sure they’re still splashing the cash on some kind of hosting service.
1
“Learn about IT”, just because I posted in a gdpr forum doesn’t somehow mean I don’t also understand the ins and outs of IT.
To the OP, if you’re dumb enough to take advice on a legal regulation from an IT geek with his roll your own understanding or the regulation and inability to understand how different parts of the regulation interact you’ll reap the rewards.
You should of course take any opinions on a forum as just that, opinions based on the limited information you provided. It’s not legal advice and you should explain your own parameters to a qualified lawyer that also understands modern IT infrastructure.
What our mate wharthog here thinks is that because IT security is mentioned as a *candidate* for LI means that it somehow gets a free pass from the rest of the legislation. The rest of the regulation still applies, Art 30 records, international transfers, pseudonimisation, controller-processor relationships etc.
As a simple example, if you store logs in the US you need to list your hosting provider in your Art 30 records as a processor, make sure you have C-P model clauses signed or that the provider has signed up to Privacy Shield, the hosting provider needs to update their Art 30 records, you need to notify them about the categories of data they will host and they should only operate on written instructions.
As far as data subject rights go the data subject can exercise their rights against either the controller and processor. You need a process for this. Your process will likely be in your contract, the contract needs to comply with all the GDPR contract requirements. A data subject can ask for copies of parts of the model clauses agreement.
As far as breaches go you need the processor to notify you within 72 hours, anything less than 36 will make things extremely difficult time wise. As a controller you are liable for your processor’s security and actions. As a controller you are still required to comply with the principle of data minimisation, you need to justify why you are collecting the elements you collect in logs.
As an individual app developer in Europe your international transfer options are limited. If your app sends data straight to a server/cloud service abroad model clauses will not always be appropriate in all instances. Privacy shield could be an option if the server is in the US, but is being challenged both in the courts and in opinions by the European parliament.
1
"A part of the regulation says that if you are using the personal data with a propose it's ok, but you can't save it without the permission of the person, so when you send it you have to ask their permission."
Can you point me in the right direction to read about this? Sounds like at the very least it will give me a legal ruling on it.
1
"The establishment, exercise or defence of legal claims" is explicitly mentioned as a
case when legitimate interests can override the data subject's rights.
Serving personalised ads might actually be justified under legitimate interests as far as GDPR is concerned. However, setting cookies requires consent under PECR. It would also be subject to the rights to object or to erasure, since "making more money from ads" isn't an interest that can override a subject's rights in the way that a legal claim can.
1
"There is a law that allows them to organize the exam in a way that cheat is avoided, but I am not sure how vauge a law can be before it can be used with 6(c). "
The GDPR is just a vague as it has to encompass a huge number of potential situations and until case law and precedent is set it will continue to be quite vague. Essentially they can use 6(c) or 6(e), (if in Denmark schools are legally required to give exams as part of being a public body), but they should do it in the least intrusive way that still practical. Without direct monitoring, aka someone sitting watching you, software on a machine is one way of achiving this.
That said your schools reponse to your queries are a little concering. In a situation like this a Data Privacy Impact Assessment probably should have been taken but I'm guessing the vague nature of they answers you've had so far it probably wasn't done. I think public bodies are required to have a Data Protection Officer see if your school has one and ask to sit down with them about your concerns.
If not possibly raise your concerns with your local Data Protection Authority they should have advice for you.
1
(I’m not your lawyer. This isn’t legal advice.) Don’t store any data you don’t need to. Don’t store IPs. Don’t store their in-game chats (for more than a week or two). Delete inactive accounts. Delete all things that can be deleted. Their progress and state in the game isn’t personal data. Remove Google Analytics or anything that isn’t loaded from your own domain. Phrase things in-game like “choose your in-game character’s gender and sexual orientation” and make it clear you’re not asking them to provide data about themselves. Unless they’ve gone out of their way to write their personal information in Minecraft blocks, then … you know. You did what is expected of you. Do what you can to reduce data retention and revisit if your service grows in popularity. (I’m still not your lawyer. This wasn’t legal advice.)
As a benefit: your game should run smoother and require fewer resources to maintain once you skim off the excess “data fat.”
1
[https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679)
>‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Doesn't matter if the IP was ever yours. You are now traceable by that IP as it is connected to your e-mail. The IP can be used to identify you, it is your personal data.
Other examples of personal data that is yours: mother's name, mother's surname, name of the school that have you on their students list by mistake.
If you want this IP then you can have it. Just ask for all the IPs connected to you. They give it out as the IP is connected to you via your e-mail.
1
@mywarhog you are right but i need to keep it only for respect the teamspeak 3 NPL license contract terms, il you see on npl.teamspeakusa.com for obaining And keeping up the license you must have a domain, a forum And domain email, so it will better keep it up, by the way i host on a vps the entire website exept for the forum Who is hosted on free web hosting company. So the data legally it’s managed by the company Who provide free hosting for my forum, it’s correct?
1
@wjsbw This is complete crap. The DPO obligation has zero to do with the number of employees. The only matter that having fewer than 250 employees touches on is a slight reduction in some Article 30 documentation.
Having said that -- I would also question whether a DPO is required. Key questions: are you processing special category data, or doing profiling with legal effect?
1
**General Data Protection Regulation**
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data's owner.
***
**Data Protection Directive**
The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (PII (US)) and on the free movement of such data) was a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law.
The General Data Protection Regulation, adopted in April 2016, has superseded the Data Protection Directive and became enforceable starting on 25 May 2018.
***
**Personally identifiable information**
Personal information, described in United States legal fields as either personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. The abbreviation PII is widely accepted in the U.S. context, but the phrase it abbreviates has four common variants based on personal / personally, and identifiable / identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. (In other countries with privacy protection laws derived from the OECD privacy principles, the term used is more often "personal information", which may be somewhat broader: in Australia's Privacy Act 1988 (Cth) "personal information" also includes information from which the person's identity is "reasonably ascertainable", potentially covering some information not covered by PII.)
European and other data protection regimes, which centre primarily around the General Data Protection Regulations, the term "personal data" is significantly broader, and determines the scope of the regulatory regime.
***
^[ [^PM](https://www.reddit.com/message/compose?to=kittens_from_space) ^| [^Exclude ^me](https://reddit.com/message/compose?to=WikiTextBot&message=Excludeme&subject=Excludeme) ^| [^Exclude ^from ^subreddit](https://np.reddit.com/r/gdpr/about/banned) ^| [^FAQ ^/ ^Information](https://np.reddit.com/r/WikiTextBot/wiki/index) ^| [^Source](https://github.com/kittenswolf/WikiTextBot) ^]
^Downvote ^to ^remove ^| ^v0.28
1
**General Data Protection Regulation**
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data's owner.
***
**Personally identifiable information**
Personal information, described in United States legal fields as either personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. The abbreviation PII is widely accepted in the U.S. context, but the phrase it abbreviates has four common variants based on personal / personally, and identifiable / identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. (In other countries with privacy protection laws derived from the OECD privacy principles, the term used is more often "personal information", which may be somewhat broader: in Australia's Privacy Act 1988 (Cth) "personal information" also includes information from which the person's identity is "reasonably ascertainable", potentially covering some information not covered by PII.)
European and other data protection regimes, which centre primarily around the General Data Protection Regulations, the term "personal data" is significantly broader, and determines the scope of the regulatory regime.
***
^[ [^PM](https://www.reddit.com/message/compose?to=kittens_from_space) ^| [^Exclude ^me](https://reddit.com/message/compose?to=WikiTextBot&message=Excludeme&subject=Excludeme) ^| [^Exclude ^from ^subreddit](https://np.reddit.com/r/gdpr/about/banned) ^| [^FAQ ^/ ^Information](https://np.reddit.com/r/WikiTextBot/wiki/index) ^| [^Source](https://github.com/kittenswolf/WikiTextBot) ^]
^Downvote ^to ^remove ^| ^v0.28
1
**Gibberish**
Gibberish, alternatively jibberish, jibber-jabber, or gobbledygook, is language that is (or appears to be) nonsense. It may include speech sounds that are not actual words, or language games and specialized jargon that seems nonsensical to outsiders. Gibberish should not be confused with literary nonsense such as that used in the poem "Jabberwocky" by Lewis Carroll.The word gibberish is more commonly applied to informal speech, while gobbledygook (sometimes gobbledegook, gobbledigook or gobbledegoo) is more often applied to writing or language that is meaningless or is made unintelligible by excessive use of abstruse technical terms. "Officialese", "legalese", or "bureaucratese" are forms of gobbledygook.
***
^[ [^PM](https://www.reddit.com/message/compose?to=kittens_from_space) ^| [^Exclude ^me](https://reddit.com/message/compose?to=WikiTextBot&message=Excludeme&subject=Excludeme) ^| [^Exclude ^from ^subreddit](https://np.reddit.com/r/gdpr/about/banned) ^| [^FAQ ^/ ^Information](https://np.reddit.com/r/WikiTextBot/wiki/index) ^| [^Source](https://github.com/kittenswolf/WikiTextBot) ^]
^Downvote ^to ^remove ^| ^v0.28
1
**So, let us say we create an e-mail with the following title** :
> [B2B] We are looking for business opportunities and new partners!
Within that e-mail we introduce ourselves shortly, do not directly sell anything to them, add in a few clickable links for further info, perhaps even a short video of our production, and add on all the necessary GDPR buttons and check-in-out options.
**We send that e-mail to e-mails which only look like this** :
> info@, marketing@, companyname@, help@, etc.
Could that then be regarded as legally correct?
1
**What motivates all the companies becoming compliant?**
Threat of €20M or 4% of global revenue fines (whichever is higher).
**What obstacles are they hoping to avoid with their strategy?**
Fines, bad PR, user backlash, lawyers and legal fees, maintaining their existing roadmaps as all of the most competent employees scramble to implement what they hope will be a compliant solution.
**What are some interesting compliance approaches?**
Drinking heavily, shuttering the business, then [soothing oneself to sleep by listening to highlights of the GDPR text as read by Peter Jefferson](https://www.theverge.com/2018/6/3/17413390/gdpr-legislation-asleep-in-seconds-listening-meditation-app-peter-jefferson).
1
\(I’m not your lawyer and this isn’t legal advise.\) Avoid it.
1
\(This isn’t legal advise and I’m not your lawyer.\) Ehm. You can’t actually track the people who haven’t given their consent to be tracked by a third\-party in the first place. Google Analytics would be useless for this purpose as everyone tracked by it would have had to already have given their consent.
1
\*sigh\*
​
Please. Stop being stupid/giving false information.
​
**HE DOES NOT HAVE TO FOLLOW EUROPEAN LAW. HE IS NOT IN EUROPE. HE IS NOT RUNNING SERVERS IN EUROPE. IT IS THE EUROPEAN USERS CHOICE TO USE HIS SERVICES OR NOT TO USE HIS SERVICES. HE IS SUBJECT TO ISRAELI LAW, AND TO ISRAELI LAW ONLY. THIS IS NOT A DIFFICULT CONCEPT TO COMPREHEND.**
​
(Caps and bold solely for emphasis)
​
Period, end of discussion, full stop.
​
/u/omer8985 \- Don't worry. Start your gaming community, and don't pay any attention to this legal noise. You're fine to ignore European Union rule of law. There are many on here that wish to believe that the EU is almighty, and has as much power as the EU claims to have. This is false. As long as you do not have a European Union server, and do not have a house/physical establishment within the European Union itself, the EU cannot do a single thing to you. They cannot fine you, arrest you, extradite you, shutdown your server(s), etc. The EU can only do what the EU wants to EU citizens, and EU establishments. Anyone that thinks otherwise has clearly failed to comprehend the first grade (sometimes called Year 1) concept of a border. I implore people like /u/Wizzad to define, in explicit detail, how the European Union will actually enforce any of this bullshit law on a foreign company outside of writing a letter or "demanding that processing stop." Is there a treaty for joint enforcement of this law? No. Is there a way for a DPA to directly take money from his bank account? No. Is there a way for a DPA to shutdown his server residing in a different country? No. Literally, the only way that anything could be "enforced" is if they demanded ISPs to block traffic. And I really don't think that that would sit well with a vast majority of EU citizens. Even if you wish to do business in Europe, you are providing a service. A service is not a good. You do not have to follow European laws to provide a service to European citizens/residents when the service does not originate from Europe. If you are providing a tangible good that will have a presence in that country, then THAT is when you actually have to follow that countries laws for that good specifically. You are not providing a tangible good. You are providing a service.
​
European DPAs know this as well. There was a recent case regarding a Canadian data company without any presence in Europe being told to "stop processing data." The ICO has concealed this case except for a hidden/obscured link on their website, because once Canada shoots them enforcing their laws on Canadian companies down, they don't want to be embarassed by it.
​
It's like if an American visiting Israel was subject to America's drinking laws, and an Israeli bar could be fined by the US for violating US drinking laws. Laws do not follow the customer wherever they may go.
​
E: As an addendum, I've seen many flaky replies from many other users on this subreddit as of late. Before the law came into effect and every fanatic flocked to this subreddit, this subreddit used to be a good place to get compliance advice, and an honest "yes or no" if the law applied from people that actually knew what they were talking about, not those that just wish this law applied everywhere. If you're looking for solid advice on the applicability of this law, I'd go to other sources with more knowledgable/credible people, such as the Web Hosting Talk forums. If you'd really like to stay on Reddit, your better bet is /r/legal.
1
\> At any point do their customers enter into a legal agreement with you?
Nope they enter into a legal agreement with FooBar, and i cannot find any mention of us in their stuff.
\> Do you only sell through them or do you have your own customers to? If so you are the data controller for that data and also need to be gdpr compliant
We only have our own customers in the US, and don't really have plans to expand beyond that anytime soon. Our product is more or less only sold to transport companies \(i.e. trucking industry\), who then install our product in their drivers vehicles.
1
> You say "ask", but let's be clear: it's a demand. If the field is left blank the form is not accepted.
Correct. But your post wasn't about LinkedIn, so this is a straw man.
> The optional seminars are to learn skills that improve performance at the university.
Either they're optional or they're not. If they are, then you can choose whether or not you want to attend them (and should probably talk to the university to get them to open their eyes re Facebook); if they're not, and they are forcing you to agree to some other company's terrible terms of service, I'm sure you could bring a legal claim against them under some US statute.
> Where does the GDPR talk about whatever definition of "force" you are applying here?
This is not an issue for the GDPR as regards the university, period. _(Source: I'm told that I know [a thing or two about the GDPR](https://i.imgur.com/XW8MuEe.jpg).)_
1
> I thought a private person would not need to comply with GDPR.
Poor phrasing from my part. This is what I mean. Although it is not entirely true also: if you enter into the personal business of selling personal data without a registered legal structure, you're still in violation of the GDPR (among others).
Now, in the database in email shared among the HR service, it's still a matter of internal controller vs. internal processor. The IT service is only the processor. Their role is to deliver a service securely to HR, and comply with their order. It's the HR department that is the data controller, and therefore responsible for managing its processes involving personal data. If you want to know what the HR department thinks of you behind your back, ask them, and see what type of response you get.
1
> “Learn about IT”, just because I posted in a gdpr forum doesn’t somehow mean I don’t also understand the ins and outs of IT.
I agree, the fact that you don't think bug reports qualify as a legitimite interest, however, proves beyond any even remotely reasonable doubt that you have no clue what you're talking about in the realms of development, programming, or IT.
> To the OP, if you’re dumb enough to take advice on a legal regulation from an IT geek with his roll your own understanding or the regulation and inability to understand how different parts of the regulation interact you’ll reap the rewards.
Actually, OP would be pretty smart to take my advice... considering it's based off of extensive study of the law, researching actual legitimate interest cases, and actually being in the development and IT work fields.
> You should of course take any opinions on a forum as just that, opinions based on the limited information you provided. It’s not legal advice and you should explain your own parameters to a qualified lawyer that also understands modern IT infrastructure.
This, I agree with. No one here is a lawyer, and you don't want to take anything here as legal advice... but rather as a general direction towards compliancy. But, just be forewarned, OP... a lawyer with actual IT knowledge will tell you the *exact* same thing that I've told you.
> What our mate wharthog here thinks is that because IT security is mentioned as a candidate for LI means that it somehow gets a free pass from the rest of the legislation. The rest of the regulation still applies, Art 30 records, international transfers, pseudonimisation, controller-processor relationships etc.
No where did I say that. I'm saying that ***he does not need consent to collect this data or information from individuals***. Huge difference there, bud. Having said that, if OP is in the US or any country outside of the EU... then yeah. He is exempt from that, as like it or not, the EU can't touch him (or her), despite what they may say.
> As a simple example, if you store logs in the US you need to list your hosting provider in your Art 30 records as a processor, make sure you have C-P model clauses signed or that the provider has signed up to Privacy Shield, the hosting provider needs to update their Art 30 records, you need to notify them about the categories of data they will host and they should only operate on written instructions.
> As far as data subject rights go the data subject can exercise their rights against either the controller and processor. You need a process for this. Your process will likely be in your contract, the contract needs to comply with all the GDPR contract requirements. A data subject can ask for copies of parts of the model clauses agreement.
See above. Also, as a note, right to erasure does not apply to bug report data. Only to data collected through consent, which as I've already stated, is not required for bug reports, crash logging, and error logs.
> As far as breaches go you need the processor to notify you within 72 hours, anything less than 36 will make things extremely difficult time wise. As a controller you are liable for your processor’s security and actions. As a controller you are still required to comply with the principle of data minimisation, you need to justify why you are collecting the elements you collect in logs.
This is not the full story. Even the ICO states this:
```
From 25 May 2018, if you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. You do not need to report every breach to the ICO.
```
Source: https://ico.org.uk/for-organisations/report-a-breach/
>As an individual app developer in Europe your international transfer options are limited. If your app sends data straight to a server/cloud service abroad model clauses will not always be appropriate in all instances. Privacy shield could be an option if the server is in the US, but is being challenged both in the courts and in opinions by the European parliament.
OP, if you are based in the EU, then yes. This part is factually accurate.
(However, nullifying the Privacy Shield would be absolutely stupid on the EU's part, as there's pretty much no chance that the US would come out with anything more strict. The EU would essentially be moving whatever mechanisms they had to enforce against companies that have voluntarily subscribed to its enforcement.)
1
> 1.) Developers from the EU are forced to use GDRP for every user (because they are under EU law) but not-EU developers only need to use GDRP for EU users.
Yes
> 2.) Developers are responsible for data and usage by 3th pty. libraries. What data and how will be used by 3th pty. libraries has to be described in the privacy policy. It is not allowed just to link to the web-page of a 3th pty library.
Yes, and consent may be required
> 3.) It is not allowed to transfer any personal data before a consent is asked from the user.
Not necessarily. Legitimate interests may apply, or legal requirements.
> A.) How can a developer find out what kind of data is transferred and how they are used by the following 3th pty. libraries?
> AdMob
> InApp payment
> App licensing
> Firebase Analytics
> Firebase Crashlytics
Google have released info recently regarding AdMob and Analytics. AdMob specifically will have a new consent SDK which will need to be used (or similar) for personalised ads.
IAPs and App Licensing are generally an O/S feature, so am guessing this lies with the platform providers to worry about. Not sure though.
> B.) Which of those 3th pty. libraries needs a real consent and which one needs just be described in the privacy policy.
As above, check the documentation from Google
> C.) After a privacy policy is magically created for a small App, how can it be ensured (or enforced) that the 3th pty. libraries don't use the data otherwise as it was stated?
It can't, but you will be arguably safer using a company like Google rather than some smaller less accountable company.
> D.) Does the app developer need to check the 3th pty. libraries every time he updates his app to find out what has changed? Does he need to update the privacy policy every time if something changes? Does he need to get consent from the users for the privacy policy every time it changes?
I would be keeping a close eye on any 3rd party libs. Privacy Policy should be changed as and when required, but the policy itself is not what requires consent.
1
> 1) You don’t seem to know the difference between prison and concentration camps (clearly never visited the latter)
Pretty sure prisons fit the formal definition of a concentration camp (anywhere where prisoners or refugees are concentrated).
>2) You think hate speech doesn’t exist, whereas I do.
I didn't say it doesn't exist, just that it's synonymous with wrongthink, and nothing else.
>3) You think that anyone who says anything that’s considered to be hate speech is a "political opponent", even though your own evidence says otherwise.
They are. If they weren't, you wouldn't need to systematically oppress them by throwing them in cages because you can simply ignore them.
Literally Marine Le Pen was charged with hate speech violations after the EU Parliament voted to lift her immunity from prosecution, but sure, there's nothing political about banning political opinions you disagree with.
>4) You have resorted to childish baseless attacks such as "you literally think anyone with a different opinion than you deserves to be thrown in a cage"
You do. If that's wrong and childish, then apologize for saying you support hate speech laws.
> whereas actually I was referring to hate speech,
Lol.
>which is nothing to do with a difference of opinion.
So you're saying you actually share the opinions of "hate speech", yet still want it to be illegal? Are you some kind of masochist?
>5) You throw around other bullshit statements like "gulag", "hitler" et al.
And fortunately I live in a part of the world where it's still legal for me to do so.
>Why do you think I have any interest in conversing with you?
I don't care if you're interested in continuing this discussion, I just want you to know how fucked up I think it is that you think I deserve to be imprisoned for it.
1
> a one year warranty as standard, for this we hold customer data such as name, address and contact details (phone number and/or email address). Do we need to add something to our website (such as an opt in for warranty check box), or does this come under a legal reason to hold their data? We do currently have a privacy policy section that states this is what the data is held for.
If the provision of a 1-year warranty is a legal obligation (it is in my county, for example), that could also be a legal ground for the processing (and retention) of the data. Vital interest as a lawful ground would be misleading; it has been cleared up many times that vital interest only refers to life-or-death situations.
1
> Also the way they said to me "if we think your reasons are good enough" etc
Although it could perhaps be worded better, they're really just describing the process set out in GDPR. Your grounds for deleting the data would be
> (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing
Then Article 21(1) says:
> The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
So you object and describe how the processing affects you, and they have to decide whether they can demonstrate that their reasons for the processing outweigh your interests.
1
> And no, neither the archival exemption nor legitimate interests legal basis are immutable. Legitimate interests require there being no overriding interests of the data subject, which in this case there arguably are.
You're confusing overriding interests with overriding freedoms and liberties. If it was overriding interests, obviously erasure of security information is in the interest of a criminal. A criminal is not free nor does he have the liberty to commit a crime. This was covered in an article somewhere on the ICO's website.
> I looked for the Google case that you pointed out, but I don't believe it's of high relevance? It's based on a copyright claim. Not on EU's request to data removal. For that, you should look at Google Spain (Case C-131/12), which says that even if EU may be unable to execute its law against a US company, it may hold its EU branch in certain cases, and possibly the outcome of Google Inc. (Case C-507/17) which is directly against the US Google. So no, you're wrong, even if the EU has no jurisdiction, it's not any as powerless as you may think.
Reread the case. In this case, I'm not wrong and they are powerless (assuming no IMDB office in the EU). It's regarding a European that wrote a story, demanded it be removed from search results, and US sided with Google saying that the freedom of expression overrides it, basically (provided I gave you the right case name, I know there were a few in the US that overruled the EU right to erasure/to be forgotten, especially with created content).
1
> by the legal basis of legitimate interest
I'd be cautious of this. The WHOIS system example is one that I keep going back to when people bring up the "legitimite interest" point of view for things.
1
> Development costs time and money
THIS! I should be getting paid to do this. I live in Taiwan and spending hundreds of hours to change our entire game around with what help? Where do these resources come from to code these overzealous requests.
We're indie and tiny with two developers. I have all these bugs that need fixing and I have to, instead, prioritize my entire resources on this thing for a country I don't even reside in for $0.
> "when is x bug going to be fixed?"
> "After GDPR..."
That Poland proposal makes SO much sense. The people that vetoed it obviously knew nothing about technology.
Then every response to gdpr questions, "Ask a lawyer". Why should we have to seek legal counsel for general questions? Not even legal counsels know what to do - there's no precedence and the documents were worded vaguely. Their guess is as good as mine.
It's not that we are sketchy, as we ARE complying, it's just like you said. The resources are not there. Big Corp! It's nothing to spend millions if they gain it back In a day. Can hire new people specifically for this. Indies and small businesses? It's been a full time job getting this right.
You can't really prep for gdpr while in active development as every dev knows that things change. Our entire architecture changed 3 times while in development. Could have 50 years to prep and it wouldn't matter until your product is in a near final state.
Anyway, thanks for letting me rant folks. Misery loves company, so in a way, glad I'm not alone as a little guy trying to do things right.
1
> Do you know the PI example is during the course of a sale?
Yes I do, but I have said from the start that this would acceptable only if it's part of a purchase process, and that outside of a purchase process it would have been illegal even before GDPR.
> What about “news and offers”?
Again, I said from the start that it's only acceptable if the messages relate to similar products and services. We can't actually say for certain whether it's compliant without seeing the messages that they send. I'm not sure what other news you think a hotel chain might be interested in sending to its customers, though.
1
> Either they're optional or they're not
This is a false dichotomy. Every single class is optional including the ones students sign up for. Missing some classes has more intense consequences than others but any class can be missed.
> I'm sure you could bring a legal claim against them under some **US statute**. ... I know a thing or two about the GDPR. ... this is a question for a lawyer re the viability of a claim under **US law**.
Both the GDPR and my school have nothing to do with US statutes, so to say you know something about the GDPR is bizarre. The first thing you should know about the GDPR is that it's EU law. Bringing up US law makes no sense.
You also don't know what a straw man is, so I suggest not using the term.
1
> Free speech does not come into it and would in no way allow you to continue to use the image.
It does. Pictures are completely separate from the scope of the GDPR. Even though personally identifying, pictures, artwork, speech, etc don't fall under the scope of the GDPR. Publically available creative works can not fall under the scope of privacy law.
Now, there are two caveats to this.
1) The picture could be forced to be removed through watever the EU equivalent of an American DMCA request is for European content providers, or a DMCA request for American providers.
2) I think you're getting crossed with Right to Erasure vs. Right to be Forgotten. News sites are under no obligation to delete news articles under the GDPR. This would assume gaining consent from the subject of the news article prior to its posting. In the case of a false conviction, for example, no consent was given by the subject to post, and as such, no consent exists to be withdrawn. However... a search engine is under the obligation to remove links to false news articles so that they're not found/found as easily. The news site may be forced to put the article into an unpublished state due to defamation of character laws... however, it is still considered free speech, and thus, falls out of the scope of the GDPR.
Ik... it's confusing. I could be *partially* wrong on this one, however, I've seen more interpretations of this law in this way than I have of yours. Plus... I did take classes on copyright/speech laws in college... so I do have a bit of a "legal" background on this one. ;)
1
> GDPR is a law, that all countries have to respect.
It's a law that's not even respected by those claiming to follow it (Facebook, Twitter, Google). If Max Schrems wins his lawsuit, you can almost bet those companies will start pulling out. It probably would never get any respect from those in the states who would have to assist Europe in enforcement action against an American company/organization.
> It is no where stated that this article (71) is a exception. As soon as you receive a TCP-package originating from an EU-Country, you have to handle that package based on the general conditions outlined in GDPR.
"Required" only if you target the EU. A geoblock says, quite clearly, "we're not targetting." And as far as I'm concerned, a packet coming from Europe to America is the same as a tourist travelling from Europe to America. It's subject to USA laws, not theirs. And I think this will be a prominent defense used in court cases as well.
> But on the other hand, he EU has no legal authority or enforcement mechanism to stop foreign, online companies from not doing business in the EU.
Exactly. The whole territorial scope is a farce intended to intimidate/scare compliance.
1
> Google provides some services through advertising revenue and others not.
Advertising revenue is what pays for all of it. The other services would go away without advertising revenue.
>Duckduckgo also suffices for searching, and all search engines gain revenue from targeted, but non-tracking ads.
Duckduckgo relies heavily on the search results of *other* search engines. The ones that run on advertising revenue. Without those other search engines there probably isn't a ddg either.
> In one sense you're right that regulations played a big part in the problem, but the regulation in particular was "intellectual property", which makes this a rather difficult problem legally and ethically.
If it wasn't intellectual property then it would be something else. We see this time and time again throughout modern history. Regulation tends to benefit the existing corporations.
1
> How was this software installed?
By the student, via the software developer's website
> Is there something on their end that initiated it or did you have to initiate something?
You had to log in with the credentials you normally use for a varaity of school software (called UNI-Login). It was initiated automatically in the time of the exam (9-14 o' clock)
> What did that contract/terms of conditions to install the software, say?
There were none at all. Not on the website, not in the program, not physically.
> I believe you mentioned that if you did the exam at school the software isn't used on the school computers? Was that made clear in some way?
No, you must do the exam on the school premise no matter what. But it is required that you bring your own computer for the exam, and you must install the program on your own computer.
> Were you told of what expected behavior they wanted and bad behavior they were specifically looking for with the software?
We weren't told the parameters, but you can find that info on the software website.
> It seems to me as I write this that all these questions above, depending on their answers, are dealing with informed consent as the legal basis for processing. You can take the exam at school without this software, or you can take it on the convenience of your home computer with this software but with informed consent of what the software is doing.
This is not the case, as shown above.
> I am finding the Article 35 (Data Privacy Impact Assessment) confusing at the moment, it seems that's where you were getting stuck on, that part 10 issue. However I read it that generally every controller is supposed to be doing it and that it is a public record (I would assume few have done it, and I would assume that a local school authority hasn't. That's not a malicious thing, it's just not a priority and it's damn complicated.) (I should add, Danish public record laws, which I don't know, probably make a bunch of things public as well.)
Yes, I would also think that the software developers (controllers) should make a Data Privacy Impact Assessment. I can live with the school not doing it if the devs did it, but I think it's troubling if it hasn't been done at all. Right now I am just waiting to find out when they answer.
> They might be getting stuck on the broadness of the Article 15 ("all date the school has on me.") That slows this process down. You are concerned with a particular processing operation recently conducted, I am not seeing a reason why the Article 15 request can't be narrowed down to what you're really interested in.
I specified what I wanted, as this is not my only concern about the school's handeling of data - for instance, they also log all internet activity on their network, and afaik never delete it (even after graduation).
> Have you seen that document? At some point some board, authority or individual with legal authority required this software. I'm curious to know what that says.
I have not, but depending on their answer, I might try and get it.
1
>Even if someone only does the easy part of blocking the EU visitors,
Accept Estonian digital residents, whose physical location is irrelevant, when they access the internet, they are legally considered to be "in the EU"
-1
**Privacy policy**
**1. Introduction**
1.1 We are committed to safeguarding the privacy of our website visitors and service users.
1.2 This policy applies where we are acting as a data controller with respect to the personal data of our website visitors and service users; in other words, where we determine the purposes and means of the processing of that personal data.
1.3 We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our website, we will ask you to consent to our use of cookies when you first visit our website.
1.4 Our website incorporates privacy controls which affect how we will process your personal data. By using the privacy controls, you can \[specify whether you would like to receive direct marketing communications and limit the publication of your information\]. You can access the privacy controls via *\[URL\]*.
1.5 In this policy, "we", "us" and "our" refer to *\[data controller name\]*.\[ For more information about us, see Section 13.\]
**2. Credit : https://securign.com**
**3. How we use your personal data**
3.1 In this Section 3 we have set out:
\(a\) the general categories of personal data that we may process;
\(b\) \[in the case of personal data that we did not obtain directly from you, the source and specific categories of that data\];
\(c\) the purposes for which we may process personal data; and
\(d\) the legal bases of the processing.
3.2 We may process \[data about your use of our website and services\] \("**usage data**"\). The usage data may include \[your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use\]. The source of the usage data is \[our analytics tracking system\]. This usage data may be processed \[for the purposes of analysing the use of the website and services\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[monitoring and improving our website and services\]\] O*R \[\[specify bas*is\]\].
3.3 We may process \[your account data\] \("**account data**"\).\[ The account data may \[include your name and email address\].\]\[ The source of the account data is \[you or your employer\].\] The account data may be processed \[for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back\-ups of our databases and communicating with you.\] The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.4 We may process \[your information included in your personal profile on our website\] \("**profile data**"\).\[ The profile data may include \[your name, address, telephone number, email address, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details and employment details\].\] The profile data may be processed for \[the purposes of enabling and monitoring your use of our website and services\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at you request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.5 We may process \[your personal data that are provided in the course of the use of our services\] \("**service data**"\).\[ The service data may inclu*de \[specify da*ta\].\]\[ The source of the service data is \[you or your employer\].\] The service data may be processed \[for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back\-ups of our databases and communicating with you\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\]* OR \[\[specify b*asis\]\].
3.6 We may process \[information that you post for publication on our website or through our services\] \("**publication data**"\). The publication data may be processed \[for the purposes of enabling such publication and administering our website and services\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.7 We may process \[information contained in any enquiry you submit to us regarding goods and/or services\] \("**enquiry data**"\). The enquiry data may be processed \[for the purposes of offering, marketing and selling relevant goods and/or services to you\]. The legal basis for this processing is \[consent\] O*R \[\[specify bas*is\]\].
3.8 We may process \[information relating to our customer relationships, including customer contact information\] \("**customer relationship data**"\).\[ The customer relationship data may include \[your name, your employer, your job title or role, your contact details, and information contained in communications between us and you or your employer\].\]\[ The source of the customer relationship data is \[you or your employer\].\] The customer relationship data may be processed \[for the purposes of managing our relationships with customers, communicating with customers, keeping records of those communications and promoting our products and services to customers\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper management of our customer relationships\]\] O*R \[\[specify bas*is\]\].
3.9 We may process \[information relating to transactions, including purchases of goods and services, that you enter into with us and/or through our website\] \("**transaction data**"\).\[ The transaction data may include \[your contact details, your card details and the transaction details\].\] The transaction data may be processed \[for the purpose of supplying the purchased goods and services and keeping proper records of those transactions\]. The legal basis for this processing is \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely \[the proper administration of our website and business\]\] O*R \[\[specify bas*is\]\].
3.10 We may process \[information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters\] \("**notification data**"\). The notification data may be processed \[for the purposes of sending you the relevant notifications and/or newsletters\]. The legal basis for this processing is \[consent\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.11 We may process \[information contained in or relating to any communication that you send to us\] \("**correspondence data**"\). The correspondence data may include \[the communication content and metadata associated with the communication\].\[ Our website will generate the metadata associated with communications made using the website contact forms.\] The correspondence data may be processed \[for the purposes of communicating with you and record\-keeping\]. The legal basis for this processing is \[our legitimate interests, namely \[the proper administration of our website and business and communications with users\]\] O*R \[\[specify bas*is\]\].
3.12 We may process *\[identify general category of data\]*.\[ This data may include *\[list specific items of data\]*.\]\[ The source of this data is* \[identify source*\].\] This data may be processed f*or \[specify purpos*es\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, na*mely \[specify legitimate inter*ests\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contr*act\] OR \[\[speci*fy basis\]\].
3.13 We may process \[any of your personal data identified in this policy\] where necessary for \[the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out\-of\-court procedure\]. The legal basis for this processing is our legitimate interests, namely \[the protection and assertion of our legal rights, your legal rights and the legal rights of others\].
3.14 We may process \[any of your personal data identified in this policy\] where necessary for \[the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice\]. The legal basis for this processing is our legitimate interests, namely \[the proper protection of our business against risks\].
3.15 In addition to the specific purposes for which we may process your personal data set out in this Section 3, we may also process \[any of your personal data\] where such processing is necessary\[ for compliance with a legal obligation to which we are subject, or\] in order to protect your vital interests or the vital interests of another natural person.
3.16 Please do not supply any other person's personal data to us, unless we prompt you to do so.
**4. Providing your personal data to others**
4.1 We may disclose \[your personal data\] to any member of our group of companies \(this means our subsidiaries, our ultimate holding company and all its subsidiaries\) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.\[ Information about our group of companies can be found at *\[URL\]*.\]
4.2 We may disclose \[your personal data\] to \[our insurers and/or professional advisers\] insofar as reasonably necessary for the purposes of \[obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out\-of\-court procedure\].
4.3 We may disclose *\[specify personal data category or categories\]* to \[our suppliers or subcontractors\]\[ identified at *\[URL\]*\] insofar as reasonably necessary f*or \[specify purpos*es\].
4.4 Financial transactions relating to \[our website and services\] \[are\] OR \[may be\] handled by our payment services providers, *\[identify PSPs\]*. We will share transaction data with our payment services providers only to the extent necessary for the purposes of \[processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds\]. You can find information about the payment services providers' privacy policies and practic*es at *\[URLs\].
4.5 We may disclose \[your enquiry data\] to \[one or more of those selected third party suppliers of goods and services identified on our website\] for the purpose of \[enabling them to contact you so that they can offer, market and sell to you relevant goods and/or services\].\[ Each such third party will act as a data controller in relation to the enquiry data that we supply to it; and upon contacting you, each such third party will supply to you a copy of its own privacy policy, which will govern that third party's use of your personal data.\]
4.6 In addition to the specific disclosures of personal data set out in this Section 4, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.\[ We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out\-of\-court procedure.\]
**5. International transfers of your personal data**
5.1 In this Section 5, we provide information about the circumstances in which your personal data may be transferred to \[countries outside the European Economic Area \(EEA\)\].
5.2 We\[ and our other group companies\] have \[offices and facilities\] in *\[specify countries\]*.\[ The European Commission has made an "adequacy decision" with respect to \[the data protection laws of each of these countries\].\]\[ Transfers to \[each of these countries\] will be protected by appropriate safeguards, namely \[the use of standard data protection clauses adopted or approved by the European Commission, a copy of which can be obtained f*rom \[sou*rce\]\] OR \[the use of binding corporate rules, a copy of which you can *obtain f*rom* \[source\]\] OR \[\[specify appropriate safeguards and means to* obtain a copy\]\].\]
5.3 The hosting facilities for our website are situated in *\[specify countries\]*.\[ The European Commission has made an "adequacy decision" with respect to \[the data protection laws of each of these countries\].\]\[ Transfers to \[each of these countries\] will be protected by appropriate safeguards, namely \[the use of standard data protection clauses adopted or approved by the European Commission, a copy of which you can obtain from *\[source\]*\] OR \[\[specify appropriate safeguards and means to obtain a copy\]\]*.\]*
5.4 *\[Specify category or categories of supplier or subcontractor\]* \[is\] OR \[are\] situated in *\[specify countries\]*.\[ The European Commission has made an "adequacy decision" with respect to \[the data protection laws of each of these countries\].\]\[ Transfers to \[each of these countries\] will be protected by appropriate safeguards, namely \[the use of standard data protection clauses adopted or approved by the European Commission, a copy of which can be obtained f*rom \[sou*rce\]\] OR \[\[specify appropriate safeguards and means to obtain a copy\]\]*.\]*
5.5 You acknowledge that \[personal data that you submit for publication through our website or services\] may be available, via the internet, around the world. We cannot prevent the use \(or misuse\) of such personal data by others.
**6. Retaining and deleting personal data**
6.1 This Section 6 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
6.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6.3 We will retain your personal data as follows:
\(a\) *\[personal data category or categories\]* will be retained for a minimum period o*f \[perio*d\] followin*g \[dat*e\], and for a maximum period *of \[peri*od\] follow*ing \[d*ate\].
*\[additional list items\]*
6.4 In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
\(a\) the period of retention of *\[personal data category\]* will be determined based o*n \[specify criteri*a\].
*\[additional list items\]*
6.5 Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
**7. Amendments**
7.1 We may update this policy from time to time by publishing a new version on our website.
7.2 You should check this page occasionally to ensure you are happy with any changes to this policy.
7.3 We \[may\] OR \[will\] notify you of \[changes\] OR \[significant changes\] to this policy \[by email or through the private messaging system on our website\].
**8. Your rights**
8.1 In this Section 8, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
8.2 Your principal rights under data protection law are:
\(a\) the right to access;
\(b\) the right to rectification;
\(c\) the right to erasure;
\(d\) the right to restrict processing;
\(e\) the right to object to processing;
\(f\) the right to data portability;
\(g\) the right to complain to a supervisory authority; and
\(h\) the right to withdraw consent.
8.3 You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.\[ You can access \[your personal data\] by visiting *\[URL\]* when logged into our website.\]
8.4 You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
8.5 In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: \[the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent\-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed\]. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: \[for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims\].
8.6 In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
8.7 You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
8.8 You have the right to object to our processing of your personal data for direct marketing purposes \(including profiling for direct marketing purposes\). If you make such an objection, we will cease to process your personal data for this purpose.
8.9 You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
8.10 To the extent that the legal basis for our processing of your personal data is:
\(a\) consent; or
\(b\) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract,
and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine\-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
8.11 If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
8.12 To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
8.13 You may exercise any of your rights in relation to your personal data \[by written notice to us\] OR \[by *\[methods\]*\]\[, in addition to the other methods specified in this Section 8\].
**9. About cookies**
9.1 A cookie is a file containing an identifier \(a string of letters and numbers\) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
9.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
9.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
**10. Cookies that we use**
10.1 We use cookies for the following purposes:
\(a\) \[authentication \- we use cookies \[to identify you when you visit our website and as you navigate our website\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(b\) \[status \- we use cookies \[to help us to determine if you are logged into our website\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(c\) \[personalisation \- we use cookies \[to store information about your preferences and to personalise the website for you\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(d\) \[security \- we use cookies \[as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(e\) \[advertising \- we use cookies \[to help us to display advertisements that will be relevant to you\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(f\) \[analysis \- we use cookies \[to help us to analyse the use and performance of our website and services\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\]; and
\(g\) \[cookie consent \- we use cookies \[to store your preferences in relation to the use of cookies more generally\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\].
*\[additional list items\]*
**11. Cookies used by our service providers**
11.1 Our service providers use cookies and those cookies may be stored on your computer when you visit our website.
11.2 We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at: [https://www.google.com/policies/privacy/](https://www.google.com/policies/privacy/).\[ The relevant cookies are: *\[identify cookies\]*.\]
11.3 \[We publish Google AdSense interest\-based advertisements on our website. These are tailored by Google to reflect your interests. To determine your interests, Google will track your behaviour on our website and on other websites across the web using cookies.\] OR \[We publish Google AdSense advertisements on our website. To determine your interests, Google will track your behaviour on our website and on other websites across the web using cookies. This behaviour tracking allows Google to tailor the advertisements that you see on other websites to reflect your interests \(but we do not publish interest\-based advertisements on our website\).\] You can view, delete or add interest categories associated with your browser by visiting: [https://adssettings.google.com](https://adssettings.google.com/). You can also opt out of the AdSense partner network cookie using those settings or using the Network Advertising Initiative's multi\-cookie opt\-out mechanism at: [http://optout.networkadvertising.org](http://optout.networkadvertising.org/). However, these opt\-out mechanisms themselves use cookies, and if you clear the cookies from your browser your opt\-out will not be maintained. To ensure that an opt\-out is maintained in respect of a particular browser, you may wish to consider using the Google browser plug\-ins available at: [https://support.google.com/ads/answer/7395996](https://support.google.com/ads/answer/7395996).\[ The relevant cookies are: *\[identify cookies\]*.\]
11.4 We use *\[identify service provider\]* to *\[specify service\]*. This service uses cookies for *\[specify purpose\(s\)\]*. You can view the privacy policy of this service provider at *\[URL\]*.\[ The relevant cookies are: *\[identify cookies\]*.\]
**12. Managing cookies**
12.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up\-to\-date information about blocking and deleting cookies via these links:
\(a\) [https://support.google.com/chrome/answer/95647?hl=en](https://support.google.com/chrome/answer/95647?hl=en) \(Chrome\);
\(b\) [https://support.mozilla.org/en\-US/kb/enable\-and\-disable\-cookies\-website\-preferences](https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences) \(Firefox\);
\(c\) [http://www.opera.com/help/tutorials/security/cookies/](http://www.opera.com/help/tutorials/security/cookies/) \(Opera\);
\(d\) [https://support.microsoft.com/en\-gb/help/17442/windows\-internet\-explorer\-delete\-manage\-cookies](https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies) \(Internet Explorer\);
\(e\) [https://support.apple.com/kb/PH21411](https://support.apple.com/kb/PH21411) \(Safari\); and
\(f\) [https://privacy.microsoft.com/en\-us/windows\-10\-microsoft\-edge\-and\-privacy](https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy) \(Edge\).
*\[additional list items\]*
12.2 Blocking all cookies will have a negative impact upon the usability of many websites.
12.3 If you block cookies, you will not be able to use all the features on our website.
**13. Our details**
13.1 This website is owned and operated by *\[name\]*.
13.2 We are registered in \[England and Wales\] under registration number *\[number\]*, and our registered office is a*t \[addres*s\].
13.3 Our principal place of business is at *\[address\]*.
13.4 You can contact us:
\(a\) \[by post, to \[the postal address given above\]\];
\(b\) \[using our website contact form\];
\(c\) \[by telephone, on \[the contact number published on our website from time to time\]\]; or
\(d\) \[by email, using \[the email address published on our website from time to time\]\].
*\[additional list items\]*
**14. Data protection officer**
14.1 Our data protection officer's contact details are: *\[contact details\]*.
**Free privacy policy: drafting notes**
This is a standard website or web app privacy policy, which will help you to comply with data protection legislation, and has been updated for the General Data Protection Regulation \(also known as the GDPR\).
This policy covers the following matters \(amongst others\): the collection of personal information; the use of that personal information; the legal bases for the processing of that information; disclosures of that personal information to third parties; international transfers of personal information; and the use of cookies on the website.
This document might not be suitable for you if the ways in which you use personal information are complex or unusual.
In any event, there are many aspects to data protection compliance. Publishing a privacy policy or statement containing the relevant information is only one aspect \- albeit an important aspect \- of compliance.
**Section 1: Introduction**
**Section 1.1**
Optional element.
**Section 1.2**
"Personal data" is defined in Article 4\(1\) of the GDPR:
"\(1\) 'personal data' means any information relating to an identified or identifiable natural person \('data subject'\); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
**Section 1.3**
Optional element.
The inclusion of this statement in your privacy policy will not in itself satisfy the requirements of the Privacy and Electronic Communications \(EC Directive\) Regulations 2003 as regards consent to the use of cookies. Guidance concerning methods of obtaining such consent is included on the Information Commissioner's website \(http://www.ico.gov.uk\).
**Section 1.4**
Optional element.
**Section 1.5**
Optional element.
**Section 2: Credit**
**Section: Free documents licensing warning**
Optional element. Although you need to retain the credit, you should remove the inline copyright warning from this document before use.
**Section 3: How we use your personal data**
Article 13\(1\) of the GDPR provides that:
"\(1\) Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: ... \(c\) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; \(d\) where the processing is based on point \(f\) of Article 6\(1\), the legitimate interests pursued by the controller or by a third party".
Article 6\(1\)\(f\) of the GDPR provides that:
"\(1\) Processing shall be lawful only if and to the extent that at least one of the following applies: ... \(f\) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
**Section 3.1**
Article 14 of the GDPR, which applies where personal information is not obtained from the data subject, provides that information about "the categories of personal data concerned" must be supplied to data subjects.
Article 13 of the GDPR, which applies where personal information is obtained from the data subject, does not include an equivalent provision.
Nonetheless, we have included references to general categories of data in this document, because this facilitates the identification of particular purposes of processing and the legal bases of processing \- information which
body
score (Sum)
Loading...
IT Ops Topic: Database
Showing 101 rows, 1 columns
body
score (Sum)
Others
337
A subject access request under Art 15 cannot be denied, and is not subject to any conditions. You must receive a copy of any personal data they have about you, and a bunch of general information as outlined in that article (for example, you must be informed of your right to lodge a complaint with a supervision authority). However:
* They must take reasonable steps to verify your identity so that they do not disclose data to the wrong person.
* They may charge reasonable fees for administrative costs if you issue repetitive requests or may refuse such requests.
* Your right to receive a copy of your data shall not adversely affect the rights and freedoms of others. That means they can redact the data they give you to remove other people's personal data.
That a credit card company denies a SAR with Art 10 “Processing of personal data relating to criminal convictions and offences” because their company or officers are under criminal investigation is a complete and amateurish misunderstanding of that article and it does not apply in this case. Art 10 basically just says that you cannot build a database of criminal convictions unless you are an official authority. This is a restriction on what kind of data may be processed in the first place. But once data is processed, you Article 15 access rights exist.
In contrast, if you exercise your right to erasure that might legitimately be denied for now if that data is part of a criminal investigation (see Art 17 paragraphs 3(b) and 3(e)).
They might have been confused if you asked for “the data concerting this incident”. You have no right to such broad data. You only have a right to a copy of your personal data that they hold, regardless of whether a breach occurred or not.
You are likely not eligible for compensation under Art 82 – that article only specifies compensation for *damages* that you suffered, and you would have to take the company to court and prove your damages there. A refusal to fulfil you Art 15 access rights doesn't directly cause you any damages. In contrast, the compromise of the data may have caused damages.
Here is what you can do:
* Check your previous access requests to ensure that you clearly only asked for your own data under Art 15, and not for unrelated data.
* Possibly, submit another request that explains succinctly, clearly, and professionally
* that they apparently misunderstood your previous letters
* that you are exercising your Art 15 rights to receive a copy of any personal data concerning you
* that they have one month to fulfil this request (see Art 12(2))
* that Art 10 does not offer grounds for refusal of an access request (which you hope their legal department will confirm for them)
* that in case of their failure to comply you will lodge a complaint with a supervision authority and will explore your options to sue them for compliance and for remedies.
* If you are very serious about this, get a lawyer to write this letter for you.
* If they continue to refuse to comply, lodge a complaint with your local supervision authority. Explain that they are unreasonably using Article 10 to refuse access to your personal data. Attach copies of your requests and their responses.
* Independently of any complaints, you are free to exercise your rights under Arts 79 and 82 to seek judicial remedies, i.e. sue them. However, this may be costly if you do not have suitable insurance.
20
Each country has its own compliance body. The UK uses the ico. You can report illegal activity there. If a company isn't in the EU, their legal body is determined by where they have the most active offices in the EU, or their partners. If none of that applies then they're De facto outside EU juris diction.
Currently the ICO are swamped, but report anyway - they always get back to me in the end.
Also, thanks for the service. They can't do this all on their own, and people explaining to them the back end violations is probably quite useful. I'd also add that you're right, this doesn't need to be complicated, and companies can often easily just respect the 'no tracking requests' that browsers have built in.
One more complication: AFAIK its actually legal to pull in all your cookies and then scrub identifying marks like your IP, so they end up with a database that says "people who like our product also like Facebook, cats, shopping for jewelry and are typically over 40". If nobody's identifiable with that database then there's no violation, so it's not always possible to tell compliance without access to their databases.
12
70% of your database is useless data if they don't respond so what are you losing by deleting it? It sounds a lot but that 70% are obviously not interested so it's no lost business for you.
5
He's a customer so his email will be in their database for legitimate reasons.
He's just opted out of marketing emails.
5
> You have to be joking, right? This is a basic way banks and businesses function. Are you suggesting a thrice bankrupt delinquent should get the same mortgage rate as a responsible young professional? You think a society could actually function that way? Are you suggesting a landlord doesn't have the right to loan out a flat to someone more likely to pay rent?
I don't think they should get the same rate. But they should be informed why their rate is higher and based on what data. That data could very well be flawed or even false, and the consumer should have the right to get insight into that to protect themselves.
> No. If you're a responsible person, and you have some basic personal responsibility in regards to what information you choose to give out to what website, this is not a problem in the slightest. Also, if that's the only thing the GDPR did, I wouldn't have a problem with it. If they made it illegal to sell data without your permission: fine. But that isn't what it is... it redefines personal data \(some of which wasn't even classified as personal like IP addresses before this\) in a way that makes it impossible for the internet or the world to function freely.
I do agree with the IP\-address being a bit of a flawed thing to include. Yes, it can be used to identify someone in some cases, but it is integral to the workings of the internet and security also. I am guessing that storing IP\-addresses will be one of the first things that are going to be moved to legitimate interest when it pops up in court.
As for being a responsible person, this law should help with that. I can't be a responsible person if a company is allowed to hide what it does with my data. Plus, it is also being a responsible person to make sure your information is safe, which you can now force by having your data deleted from databases that might very well be breached.
4
" As a website owner, I don't want freeloading Euros visiting my sites and not paying for it in some manner."
As a E.U. Resident i went just fine without knowing your site at all so far.
If it is in YOUR interest to include 500million prospector clients in your company database you will comply, if not is ok to limit yourself to other markets. As a consumer i have other options.
Good Luck to your enterprise
3
>How does that impact CCTV, such as in a business owners stores or government cameras in the public streets? Can you request that footage along with it's removal after? Or these are covered under a legitimate business case / legal basis, and are exempt from any explicit consent?
You don't need consent. Also request of footage needs to be very specific, and is possibly impossible, depends on the circumstances. You cannot (succeed) at a deletion request. In all likelyhood if you do a request the data is saved way longer than normal.
>What about as a tourist taking photos in public areas with people in the background. Isn't that capturing/recording PII data, thus requiring consent? Or does some part of the law make this activity exempt?
There is an exception for strictly personal use.
>Does a retail store need my consent as a visitor before a sales person approaches me to pitch their products/specials?
No, unless it is through emails, then it can be different.
>Does a mall need your consent before entering, that the third party stores inside acquire certain personal data with their own privacy policies and consent(but you're consenting that you're aware of this first as you'll be exposed to them via a first party), and that should any of the stores act in a malicious way or deviate from what the first party was aware of, the first party is still responsible/accountable in someway?(not quite accurate since there'll be actual contracts in place, something you can't always do with third party integrations/content online, nor always safeguard the user via some binding agreement prior). Mall visitors are going to ignore/walk past such caution/advice as quickly as they'd tick "I agree" to EULAs without reading.
No, the mall doesn't need your consent.
That people don't read EULA's or Privacy policies is not the problem of the organisation.
>A real stretch, would be as an individual data controller/processor. Does a person's own senses(sight, touch, hearing, etc) require consent to your PII that they acquire and store/process within the brain? Do I have the right to erasure on their memories of me? (might seem silly atm, but I guess it's appropriate if in the future people were augmented in such ways that hardware was involved, and it's not all that different at that point?). So where exactly is the line here
No, GDPR has a limited scope, it needs to be an (partly) automated proces, or if analog, the data needs to be stored in a organized database. See art. 2(1) GDPR
>If you're attending an event where they insist you wear a badge or bracelet, have your skin stamped or similar form of identifier/categorization, if you choose not to give consent, can you continue to enter/attend the event without a "cookie" identifier(tracking/PII) to verify your right to access?
This is not personal data under the GDPR, see last answer about the material scope. Also this proces would not be based upon consent if it would be changed so it is an automated proces.
>The last example is probably not applicable. I was thinking of this in relation to accessing a site(can't be denied for not giving consent) and being tracked(opt-in consent, but not core to functionality), but technically it's a valid legal basis(to differentiate access rights, similar to login/account) and performance(fast validation that you have the rights to go ahead).
Website (automated proces) is different from other non automated processes. Also still don't agree with the idea that denying access to a site would invalidate the consent.
3
+1. Storing any personal info on a blockchain is fundamentally at odds with GDPR. The only way that I saw (#NotALawyer) to make them compatible is to depend on a non-blockchain data source to convert from anoymized, key-lookup data in blockchain to non-blockchain storage. This allows you to handle rectification and erasure requests using non-blockchain storage.
But then, begs the question as to what benefits you're getting from blockchain at that point vs a normal database.
3
1. Its not for this account
2. That account may contain personal details such as emails and links to my other profiles that uniquely identify me. Also how should i know how they store their data in the Reddit database, it may very well have other details assign to it such as IP records that can uniquely identify back to me
3. I have no access to that account to delete it, and even if I did have access and deleted it in that account it may still be flagged as inactive somewhere in a database that could then be later hacked, leaked or stolen.
4. A GDPR request shouldnt mean I have to jump through hoops to do it, also its not just for people on the internet you can also call, write or request in person a GDPR request
3
Backups.
Backups are an area that really was not considered enough when creating the regulation. The biggest issue we are seeing is the methodology of erasing customer data from backups. If you are getting valid request from your end customer to erase their data, you have the responsibility to ensure it is erased from every location. Are you expected to somehow reload your historical archives to remove the data and then back it up again? Or if you are in a situation where you need to use your backups, have a process in place to erase all of the records you have requests for before going back into the live database? If you have a large amount of these it would easily be a hassle to manage and a few would fall through the gaps.
3
Good points both. With regards the Air France CEO, what if the data were, as is generally the case with CMS databases, more related to the role than the specific individual? i.e. prior communications with the person of that role rather with that individual? Of course if it said 'remember to ask about Sally and the kids' that'd be no good, but if it was 'remember to ask about the new 2018 offerings.', then that should be fine, no?
3
However, if the database does get stolen, you need to show, that you thought about the consequences and how secure the databases needed to be. It's in one of the last paragraphs in the GDPR - around article 80 I think.
So, if the information is essential to the users, than you would need double down on security.
3
I agree with you.
They clearly had a legitimate interest in storing the data of consenting users. And users who actively use the site would likely be willing to opt in post 25th of May.
I'm speculating here but ...
Looking at the screen shot and business model, it's probably a system that gets authentication to look at your contacts and friendlists and then suggests to mass mail / invite all your contacts to use the site so they can find the few people using crypto in that list.
The personal data held is valuable and even if the message is that the site is making a loss, having (and being able to sell) a database of 10s or 100s of thousands of confirmed crypto users is something that is valuable and should not be sold at the same time.
So whilst GDPR is annoying us all at these stages, IMHO this is a case of good riddance.
now ... let the downoting frenzy begin.
3
I don’t get it - surely they have a legitimate business interest to collect PII and make it available/searchable in the Whois database ... as long as users are informed of this then that should be fine? What bit of the regulation am I missing here.
3
I have been thinking and concerned around this for some time.
I would think that any user e.g. Dave uses linked in and uploads his contact list.
Dave is the data controller (he has the contacts emails and numbers etc). He is then asking LinkedIn to process the details to find if they are on the database or notify when they do join (they are being data processor and then retaining and linking later data controllers as well).
I think these kind of things have been dodgy for some time and GDPR may well finally be a stick to stop it from happening.
The real question then is:-
Is Dave now liable for millions of euros for breaking GDPR by sharing his mums email address with LinkedIn?
Or is LinkedIn liable for asking to collect this data?
Possibly both as Dave had no right to share the personally identifiable information.
3
I hope I have got this right, what you are basically asking: if a user of a website messages another user with personal details, in this case, a telephone number, should that message be deleted if a deletion of data is requested?
This is a gray area but the short answer is, no.
There are so many factors to consider, including the message storage type, for example, is the message encrypted (WhatsApp) or is it stored in a readable format (facebook)?
A personal message sent via a social network is controlled by the user and, therefore, is not data directly held by the network in question in the user database.
It would not be an unreasonable request to message the network in question and request this to be actioned but, depending on where you are located in the world, you may not receive the response you want.
If you are in the EU, please check out GDPR, with special attention to Article 17.
I am sorry this is a vague answer but the many considerations of each social and messaging system makes it difficult to try and provide a more accurate response.
3
I think I mirror /u/sniffles_snort, expanding on this though.
I think that it means if you get your compliance state right, and keep your users properly informed, it will mean you will have a database of users that actively want you to engage with them in some way. A massive win for marketers and businesses as well as the individuals it protects.
Now I think states outside of the EU including the US should work to mirror this legislation. International lines of commerce are slowly getting blurred and if you are dealing with EU citizens at all you will need to ensure compliance. However, I think it will be the citizens who will need to push for this change in their countries.
To the point of national security, there is already provisos in GDPR that address this and the "need" for data collection by authorities and acknowledges that consent is not always possible in these circumstances but again people need to ensure they are electing representatives that will protect them in these matters. No use complaining if you are removing yourselves from the solution.
I will also add that this is by no means a finished product and I expect that there will be challenges and amendments to it as enforcement and legal precedent is set against this legislation.
TLDR; Yes it's good because it means a more informed customer and business. Yes, there should be mirroring in the US and other territories. Yes, there will be problems or issues that will need ironing out. Overall better than what we have now.
3
"Structured data is data that has been organized into a formatted repository, typically a database, so that its elements can be made addressable for more effective processing and analysis. A data structure is a kind of repository that organizes information for that purpose."
Exactly, this goes nowhere, you obviously know better than everyone.
To go back to the subject :
To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability.
HTML is not really interoperable and does not really enable data portability.
Good luck using those arguments where it does matter, and good luck with your control authorities if you try to use your wonderful arguments to defend that HTML is sufficiently structured to "enable data portability". XML works, yeah, but not HTML.
2
> No, GDPR has a limited scope, it needs to be an (partly) automated proces, or if analog, the data needs to be stored in a organized database. See art. 2(1) GDPR
No. Even manual processing falls under GDPR. The full article reads :
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
As per original question : as long as it's for personal use and not intended to be used by a business at any time, the data that cybers could collect would not fall under the scope of the law, as long as it's not going to be used by a business.
2
> This covers any file or database that has a person’s name or an ID in it.
Not just files and databases but any organised storage mechanism.
Not just name or an ID, but any information that relates to an identifiable individual directly or indirectly.
2
>(As an aside, I would personally recommend collecting the IP Addresses of the visitors for security purposes.)
I don't disagree, but I believe that keeping data separate is a good idea. Making one database with only the necessary data for the project, and then putting things like information security data in another database.
2
A colleague runs a web site for booking court slots for tennis clubs. As part of log in procedure, user enters club ID number (from national database) and his site currently displays user name for confirmation purposes. A user recently complained about this. Should he change his process?
Thanks for doing this - good AMA!!
2
About the fines:
You don't just get fined out of the blue, so don't worry too much about that. The fact that you're asking for advice shows that you're thinking about it and you're taking it seriously. The GDPR is about responsible personal data handling.
You can take a look at [article 83](https://gdpr-info.eu/art-83-gdpr/) to see how organizations can "win" the maximum fine. Basically: be intentionally negligent, make sure to endanger lots of important personal data, and don't cooperate when you are contacted by the regulators.
About your service:
Are you offering a (free) service that anyone can use? How do you attract users?
If it's not a service that you're offering to anyone but rather a casual thing that you and your friends use then it's outside the scope of the GDPR, perhaps your bot is casual enough to be exempt as well. Check whether [article 2.2.c](https://gdpr-info.eu/art-2-gdpr/) applies to you.
Can anyone store any message?
If anyone can store any message then you should consider encrypting the messages while they're in your database because someone might be stupid enough to store important personal information. In turn your database might get hacked and suddenly you're responsible for leaking important information.
Do users need permission of the message creator to view a message?
If users need permission of the message creator to view the message then it shows you're taking their privacy seriously.
Can anyone request to view all their stored messages? Can a message creator delete their messages?
If a message creator can view and delete their messages at any point then you're giving them control over the information they store. You could also make a 'delete all' command to make it even easier for users to manage their stored data. Consider automatically deleting messages if a user has not used your service for a certain amount of time.
2
agreed 100%. Did the same thing with all my small business clients.
i might have an additional quick question related to mailchimp though.
if you have a client with very small email database (<2000), mostly from U.S, whereas the business is located in Europe ; would having an active opt-in form and email notification about being GDPR compliant with updated privacy policy enough or do you really have to create new segments and ask subscribers for a consent (which would result in huge email loses.)
2
At least one person gets it. Here’s an example. Two vast databases of personal information and a device database of billions all for sale to anyone who can pay. Wait till the end when someone asks how to get off the database if you’ve bought a second hand device:
https://youtu.be/cZ762pJXA8c
In this example the GDPR gives you a right of access to see what they hold, the right to correct inaccurate data and the right to erasure in some instances.
It also requires a legal basis to process this information before they even start. The existing cookie regulation requires consent and GDPR requires informed or even explicit consent in some cases.
The OP is obviously fine with all this.
2
Deleting an account doesn't necessarily mean Facebook has deleted your data from their databases and the databases of the people they sold your data to. It just means you no longer have a facebook account.
2
Every single story of abused people I've seen contained no data which could lead to identification. It's unreasonable to post said stories with first and last name of the abuser. GDPR or no, that is not allowed (potentially after the abuser was declared as such after a final verdict of the court case, but I don't know enough on the matter). Those stories also tend to have a changed name of the victim, and even if not, it's only first name (unless it's someone famous).
Even if it's imperative to present full disclosure, GDPR has you covered. As long as no art. 9 data is involved, art. 6(1)(f) with legitimate interests could be used to justify publishing such story. And then, with art. 9, there is also a special exceptions for organizations. So no, you don't need any consent from the abuser if other grounds for processing are present. As long as his interests are overridden by the action at hand, the organizations will be fine.
Also, I already told you - you are NOT a controller nor a processor in terms of Reddit (nor any other service you use as a regular user). You are merely a data subject. The only exceptions for a regular user would be if you're an admin of a subreddit or you own a Facebook page.
You are, however, a controller, when it comes to the data you gather in the process of your business. So those records of payments, notes and stuff, you are a controller of that. Now I see what you struggle with - Gmail being a controller of all mails, and you being the controller of the data you have in mails on Gmail. But Gmail is the controller of all data they have, and you are only a controller of the contextualized data you have access to yourself. You are a controller of data that is contained on your mail account, but as long as you control data in private manner, this is out of scope of GDPR (personal and household use of art. 2(2)(c)). That changes when it's not your personal use, but work, as then it falls squarely under GDPR. So yes, in terms of all work-related data, you owe the data subjects the rights they have (access, deletion, restriction, etc.)
Also, as I understand, you keep contacts as 'J Smith' and so. So if one of your databases is compromised, the invader won't know the full names and anything more. However, I assume that there is some other database or matching the contact names with actual names (e.g. the person's mail will indicate 'John Smith'), and maybe another one with phone numbers. If all databases are compromised, full data can be achieved. This is thus pseudonymization. It's a great mitigating factor, and this will certainly lower the fine you may hypothetically get, but that does not relieve you from the GDPR.
Lastly, about notification, look at art. 33(1). You're obliged to notify the local data protection authority, *unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons*. You only have to notify the data subjects if there was a high risk to their rights of freedoms (art. 34). It may well be that the data you control is unlikely to result in any actual risk, so you don't really have to do anything.
2
First, please provide more detail on your application. Include details like if you're using any third party services such as AWS or APIs as well as if there is a database or DB-like component. Is it comprised of a single server or does it involve multiple hosts? What services are your servers running? It sounds like you're more concerned about apache/nginx logs than actual system logs captured by rsyslog and friends. Let's not even get started with the fact services/applications don't necessarily have to log to /var/log.
The more typical approach to logging is to log to central server such that local host logs can't be deleted or tampered with (as would be the potential with a host intrusion).
Second, your course of action in disabling system logging is very bad. Doing so presents a net and infosec oversight not to mention a very poor operations paradigm. Without visibility into what's occurring on your system(s), you are unaware when things go wrong until they've gone wrong. "Going wrong" can encompass any number of things. Service dies, host experiences hardware failure, an intrusion occurs, network issues, etc.. When something "goes wrong" it may be much harder than necessary to root cause and address due to lack of logging.
Disabling host logging is not going to make you magically GDPR compliant. This is why I ask for more details. Unless your application is incredibly simple/limited, limiting data processing/storage is usually not going to be so straightforward.
2
Great, I took the data in this link and used the comments with some corrections and just sent it out to our sysadmin and big data team, they are going to try to get some stuff done with in terms of file server and database scanning.
2
Hahaha chill out my friend, there's no need to be so angry!
First, we're talking about a European Regulation, not US law. Which means that "going to court" isn't as easy with the GDPR. The data subject would most likely have to file a complaint to his supervisory authority, which would in turn investigate to assert whether you are knowingly processing data from data subjects on EU territory.
In that case, the proof kept in your database is a great start.
There's also a recital (recital 23) in the GDPR which you might find interesting:
*In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.* ***Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention*** *, factors such as the use of a language or a currency generally used in one or more Member States
with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.*
2
Hi,
You need to think about the security of the information you process, GDPR is not all about the list, it is very much about the company and how it protects the data entrusted to it. It is not called the General Data **Protection** Regulation by accident.
I assume however you are wondering what lawful basis you should use with the data you process.
1\) Direct Workers \(Employees\), as an employer you need to process personal data to comply with your legal obligation to disclose employee salary details to HMRC. You should document this lawful basis in a Data Protection Policy.
2\) Indirect Workers \(Suppliers, Contractors, Advisors, Consultants\), you should consider using Legitimate Interest as the lawful basis for processing personal information on indirect workers.
In both of the above examples, it is important to bear in mind both the rights and principles of the GDPR. For example, if a worker would like you to remove them from your database then you must, if you profile your workers in order to create a reliability score then you must inform them of this, if employees leave then you must remove information that is no longer necessary to perform your legal obligation as per your Data Protection Policy although you can keep certain information to help in the event of a future claim against you.
Hope this helps
I run [gdprcheck.com](https://gdprcheck.com), would you mind if I posted your question on my site to help others, the employee bit is a very common question.
Duncan
2
I am in a similar situation. Article 11 Section 1 covers it. It basically says that if you are not keeping databases of private data, then you do not need to create one just to comply with the GDPR.
I am not going to create a database just to manage proof of consent. I am going to store the consent on the device. If the user consents or does not consent, or has not chosen yet I will store this flag on the device in the usual way that I store other data. It will get deleted when the app is deleted. I will certainly not be creating extra databases or data to record this consent, the law clearly states that this is not what it is about.
2
I certainly agree with you that it doesn't have to be an email and it isn't a contract. It's just information.
"A data subject is required to be informed". Updating your privacy policy on your website in many situations is not enough to be able to say "We have informed the data subjects" as a good portion of them may never visit your website, or do business with you ever again and will never see the privacy policy. In which case it cannot be said that they have been informed.
At the end of the day, IF \(fairly big if, but the fines are also sizeable so the risk is worth implementing a countermeasure\) you are audited, can you prove that the data subjects have been informed? An email trail would help with any potential audit and that is one of the principle reasons \(well that combined with the fact that their databases contain millions of data subjects so the risk is BIG\) why companies are sending out email notifications with links to their privacy policies.
Many companies are also asking for consent to send marketing communications and/or consent for processing \(where they can't / have decided not to use legitimate interest\) because they have taken the view that their original consent was not up to the spec' required by GDPR.
I agree collectively it's a shitty customer experience, but if you do it now there is low risk of reputational harm \(and anyone holding a grudge against you in particular\) as there's just too many to remember.
2
I did the research myself, and as far as I know, there are 12 countries supervisory authorities that has a searchable registry on their website. Some sites has the a form to register, others I assume is just displaying company information from other databases. So far, from what I have seen, only UK and Ireland charges a fee to register. This is hard to research as most of these websites are poorly made.
2
I have reported it to Trustpilot & Thuiswinkel (dutch trustpilot kinda).
I am not able to actually make a report to my GDPR authority because it isn't about MY data, so I can only tip them and not make a complaint... I am considering buying a product for 3 euro's than sending it back, just so my data is in the database & I can see if first my name (fake ofc) will pop up & so that I can fill in a complaint.
Secondly I am typing up a message for their customer support at this moment but finding it hard to find the words.
2
it's not because you can highlight part of the text that it makes it a database or a "structured" file.
And it's not because a text is separated by paragraph tags that by magic it becomes a structured document.
Structured semantics does not mean CSV or table or any kind of structure.
Even more when you quote a COMPLETE sentence :
by denoting structural semantics for text such as headings, paragraphs, lists, links, quotes and other items.
Very nice way to demonstrate exactly the point I was trying to make, thank you -> HTML is used to format text.
2
Well, try to use undocumented tags with HTML and see what happens. XML is designed to store DATA, not text, so you can document the structure of your data, with a schema, and use any tags you need to structure your data. So I maintain everything I've said since we started this useless banter as obvioulsy you are mixing up HTML and XML. HTML is designed to markup text using semantics / formatting tags. XML is what you are thinking of when you talked earlier of structured data.
The point is moot : I would love to see you argue in court that HTML is structured, as XML or a database could be, and see the result.
The portability of Steam data is insufficient as per GDPR requirements, HTML is not sufficient to allow anyone to import the ported data for further processing. XML would work, but it's not what they are doing.
Enjoy your week-end, I'm done hitting that dead horse.
2
XML can be used to store databases and is used to transmit data. HTML not.
2
You do realize there is more type of data to be stuctured that doesn't fit in a table in a database. Have you never questioned the purpose of paragraphs and headings when reading an article? We use those structures in writing to break up and organize information to be processed and analyzed by us humans. HTML is flexible enough to be able to structure different types of data in a single file. Articles, essays, tabled databases, lists, definitions, and more.
I don't know where you get HTML is not interoperable. HTML is by far the most common format there is, the entire internet uses it to share information. There is countless means \ tools, to pull in HTML, to process it, pulling the information you want out of it.
So tell me how does XML a markup language serve the purpose but HTML does not?
2
**Examples of International Transfers**
Although many international transactions obviously involve transfers of personal data overseas, there are some situations where it is less obvious that an international transfer of personal data is taking place. In some instances, organizations may perceive that they make no international transfers of personal data, when in fact the reality is otherwise.
The following examples of international transfers are offered to hopefully widen the reader's perception of the types of circumstances in which the GDPR's provisions on data exports will become relevant:
1. A multinational organization, based in the United States, with offices in the UK and other European countries, maintains a computer network that connects all its sites. Considerable quantities of information (including personal data) are regularly transferred between various points on the network.
2. A UK company engages in cross-border list rental whereby lists of customers or marketing data are transferred to organizations abroad.
3. A German company's entire database is transferred to Spain as a result of the purchase of the company by a Spanish organization.
4. The forwarding of an email containing customer details by a person in the UK to a person in Hong Kong.
5. The transfer to India of files containing digital voice dictation for the purpose of such data being converted to Word documents (e.g., letters) before being returned to the UK by email (cross-border digital dictation outsourcing).
6. The HR department of a global organization with offices in the UK is to be moved from Ireland to Singapore.
7. A UK company publishes the names, home address, and mobile telephone numbers of its staff in an internal directory, which is made available to branches of the company located in third countries.
**Scope of Data Transfers**
The concept of transfer is not defined by the Regulation. However, transfer is not the same as mere transit. Therefore, the fact that personal data may be routed through a third country on the way from an EEA country does not bring such transfer within the scope of the restriction of the Regulation unless some substantive processing operation is conducted on the personal data in the third country.
In practice, there are two common situations that have been a source of concern in the past, but that are not subject to the restrictions on data exports:
1. Technical routing of packet-switch technology (such as internet email and web pages), which may involve random transfers of personal data between computer servers located anywhere in the world; and
2. Electronic access to personal data by travelers who happen to be physically located for a short period of time in a place that does not afford an adequate level of protection --for example, a person who logs on to a computer system based in the EU to access data from a foreign airport.
In addition, following the European Court of Justice decision in the Swedish case of *Bodil Lindqvist*, where an individual merely loads personal information onto a website that is hosted in that state or another Member State so that the information can be accessed by anyone who connects to the internet, this does not necessarily constitute a transfer of data to a third country.
However, where there is an international exchange of information about individuals with the intention of automatically processing that personal information after it has been exchanged, that should be regarded as a transfer for the purposes of the Regulation, even if the original exchange does not qualify as processing of personal data. An example of this would be where information is provided by someone in the EU over the telephone to someone in a third country who then enters the information on a computer.
**Remote Administration of Servers**
When the big technology companies offer 'local' data storage on servers in the EU, generally the maintenance and support of the servers is performed by teams based in the EU, precisely in order to avoid doubts regarding possible remote 'processing' of data from outside the EU.
The key question is what does server "administration" mean exactly and how one can ensure that any of the functions performed when "administering" the server do not constitute "processing" of the data stored on the server (bearing in mind the very broad definition of processing below). If you do anything that constitutes an "operation on the data", including but not limited to storing it, encrypting it, moving it, restructuring it, making it available, erasing it or destructing it, then administration of the server equals processing of the data stored on it.
1
i do have everything on the privacy policy but i cant be sure there is no one that i know that can check it
my website is on en and heb i cant be sure if i will have eu i know i will have mosly israeli players but eu i dont really know
i live in israel and will host the website on israel like the game server are host on eu i cant really be ompliant because its just game server that playing in it nothing much yes its log ip but this is mosly game server work its log it on the database for bans and sercurity and i dont know what the game server host collect
i want to try to be compliant but there is no one that can help me i did privacy policy and tos i still doing but there is no one that can really check it if i did it good
i dont really want to get fine or problems with the gdpr i see alot of israeli communtiy that have eu players but they just dont care about it
1
... unless you use it in a non-compliant manner (e.g. pull that data and make a marketing database of some sorts).
1
"a large database of donors and followers"
Which means that you will be mailing them with requests on donations so it's purpose is marketing. Is consent also required when you have a business to business mailinglist with no marketing purpose? For instance a mailinglist on are services up or down?
1
> I thought a private person would not need to comply with GDPR.
Poor phrasing from my part. This is what I mean. Although it is not entirely true also: if you enter into the personal business of selling personal data without a registered legal structure, you're still in violation of the GDPR (among others).
Now, in the database in email shared among the HR service, it's still a matter of internal controller vs. internal processor. The IT service is only the processor. Their role is to deliver a service securely to HR, and comply with their order. It's the HR department that is the data controller, and therefore responsible for managing its processes involving personal data. If you want to know what the HR department thinks of you behind your back, ask them, and see what type of response you get.
1
> Am I being needlessly difficult?
No, it is your privacy, your data, it is only up to you how 'difficult' you want to have it to be able to 'use' their services.
> Is it reasonable to expect a mobile telecoms operator to have a photo of you and your passport number?
I don't think so, I have no clue why they would need a face that goes with the data, or why the passport number is even useful to them.
What they are required to do for their law, is on top of what they are required to do for you because you are a UK citizen, so if your law requires them to encrypt your data and give you the right to delete it (For example when you aren't their customer anymore) than they should do so at your request. even if Italian law would be that they need to keep the data for x amount of years.
I wonder what their follow up it gonna be, either they are going to tell you, you can't be their customer, or they will accept the passport anyway.
For me, personally, I wouldn't want them to have the GPS of my bike + my face & passport number, if someone would breach their database that user could easily impersonate you, steal your bike, and get away with it.
1
> Anyone who can get hold of my data could conclude" By themselves? Will this require access to another set of data?
There won't be a name of the patient and no date of birth (but age at time of treatment), but the practice and dates at which measurements characterizing a treatment were recorded would be stored.
Assume a worst case full data breach (of the data we hold, not the data matching these records to the patient). I would see both below examples as maybe a little contrived, but possible.
If patient x, y and z have all the same operation and x and y have presented themselves for a few checkups at specific intervals. If Patient z is still due this checkup, then a PI waiting outside of the practice could identify the date and a subset of people one of which would likely be z. It would need a fair bit of additional subject matter experience but it's still possible.
It would also be possible if this data is breached to identify if a health condition has been improving or worsening. Here in the UK it can be mandatory for a GP to release certain basic information about a patient who is absent from work to his employers. Disagreeing to this can as far as I now give the employer the right to terminate the employment earlier. An employer could potentially make an informed guess to match the information they have on the employee/patient to a breached database and thus conclude a prognosis given third-party medical advice.
1
> Blocking EU users would be very, very stupid for a company that has a very large portion of its user (and customer) base in Europe
Why? If you've ever looked at ad revenue per region then you wouldn't clearly noticed that Europe pays multiple times less in ad revenue than the US. If Europe then adds conditions that make it even worse then European users end up being a negative.
>You are allowed to keep the backups without altering them in case of deletion requests, but you cannot save them needlessly.
I do understand. But then I have to construct a second database and system that deletes the data that has been requested to be deleted when using the backup. That's going to be a nightmare if something goes wrong.
>You just need to store it in such a way it's no longer considered personal data, which is really not difficult.
Basically everything is personal data under GDPR.
>If you save all personal data forever and you dont have valid reasons to do so, privacy is breached.
It's not because the user gave this information away freely. GDPR tries to pretend that this is how it should be, but real life doesn't work like that regardless how much Brussels bureaucrats want it.
>The data will not be in the hands of FSB.
Except that the GDPR does not concern itself with state organs nor do these rules apply to EU institutions. Oh, and don't forget the millions of websites that don't and will never comply with GDPR.
>Without GDPR or similar regulation, your data is not safe.
The data is not safe even with GDPR. In your example GDPR would make you feel good but provide no benefit because of what I mentioned above.
>We dont know what countries that in 20 years will use personal data gathered from annexed countries or hacked backups.
And as was mentioned above: the GDPR will not help in this case.
Now consider that Europeans very often use websites that are outside of Europe because we seem to be unable to create services that people want. There are no guarantees that those services outside Europe will give a single damn about this law. Congratulations, you made European websites even less competitive.
>but if thats what they want to do, thats fine with me.
And this is why GDPR turned me from being pro-EU to anti-EU. Because other people are fine in Europe with being screwed over as long as they get feel-good legislation that's going to hurt our IT sector.
1
> Dont think EU has no control of over you. The law is setup in such a way to protect EU citizens from any company using their personal information.
I don't think they don't, I know they don't.
> However, consider this. It only needs one customer to ask his information to be removed from your database. And how are you going to answer him? By not replying? That won't look good.
I've already had two. I responded with a denial, and sent them a link to the declaration of independence along with an offer to pay for a book on how jurisdiction and soverignty works.
1
> It would be down to the original company to notify anyone on their database that they are going to cease doing business and close down the website.
Which works for already registered users. But this is assuming a user that never heard nor used software from that company prior to the event, and just discovered this piece of software. The company has no way of notifying them.
> The scammers would also be at fault as they are knowingly breaching GDPR
I should have phrased my question better by asking if it would *just* be the scammers at fault.
E: Fixed the phrasing.
1
> there is a forum who it's unused
The forum is no longer used?
Then you need to anonymize all personal data (such as usernames), prevent logins, clear out all IP Addresses from your database, clear out all e-mail addresses from your database, and ensure that no data that can be used to identify an individual exists. You then need to destroy any backups of your forums containing that data.
If the forums are no longer used, you do not have a reason to keep that data any longer.
1
> You don't need consent. Also request of footage needs to be very specific, and is possibly impossible, depends on the circumstances. You cannot (succeed) at a deletion request. In all likelyhood if you do a request the data is saved way longer than normal.
Fantastic, so is that falling under any part of GDPR? How does that apply to a service on the web?(Such as those that sell CCTV monitoring products with web viewers/tools) There are some SaaS out there I believe that provide storage and remote viewing to users. Are these businesses treated in the same way?
> Also request of footage needs to be very specific
What kind of specific and why? They've got PII data of you in the footage, is your identification along with date/time and location not enough?
Does this equally then apply with a users IP? Sometimes cited as personal data, sometimes not(one of the threads about gdpr on reddit link/cite a ruling in germany where it is considered PII, even when obfuscation or masking by stripping out some data was done).
I'm pretty sure ones own photographic identity qualifies far more as PII than the IP address would have. So how can this be applied to the usage of IP addresses to be exempt like in this CCTV footage containing explicit PII?
Providing additional PII that verifies/links that the requested occurrences of an IP address(since each record may not actually represent that particular identity, and technically a user can very well have multiple IP addresses via home/mobile connections, public wifi, internet cafes, etc), actually are related to the user requesting deletion of such records, is not sufficient evidence to approve such an action?
And that's legal under GDPR? It'd be rather difficult to prove such, especially if the full IP isn't retained, and no other PII information was stored by you that could identify the user. Far more difficult than that CCTV footage could be verified.
---
> There is an exception for strictly personal use.
So if I capture analytics data, strictly for personal use of my site, I don't require consent from the user of what I store?
Is it any different from the tourist taking multiple pics or video for personal use, but inadvertently acquires personal information(photographic identity, location, time/place, activity, etc) of those in the vicinity, which they may share with their friends on a social network privately or publicly.
If it captured something interesting/funny, in particular of one of those background individuals, perhaps it goes viral. What happens now? Still considered personal use?
> No, unless it is through emails, then it can be different.
Eh? So I don't need any consent to serve relevant ads based on a visitor to target them to products that could interest them?
That sales rep(including third parties that put up a stand to promote a product) doesn't require consent to profile you based on any information you've walked in with(clothing, style, any accessories that indicate/express interests), or if they've seen you previously and now have prior information, perhaps the sales rep worked at a different store in the past, etc).
> No, the mall doesn't need your consent.
So consent for iframes that aren't same-origin, where those 3rd party vendors may do something with your personal information, isn't required? That responsibility falls onto those vendors handling their content presented in an iframe as if someone had visited their own site?
By having those iframes, regardless of what they do, I do not have to be aware and keep track of what they're doing in regards to GDPR and seek consent from users?
> No, GDPR has a limited scope, it needs to be an (partly) automated proces, or if analog, the data needs to be stored in a organized database. See art. 2(1) GDPR
" *This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. * "
Aren't our biological inputs automated processes? And our brains store information, we remember/lookup that information, is it not technically a form of database?
> This is not personal data under the GDPR, see last answer about the material scope.
The identifier for tracking if you've been to the event or have access to the event isn't considered personal data? It may contain a UUID which I thought can contribute to being classified as PII similar to how IP addresses can? It'd also link you to a location/event at a certain date/time, along with interest.
The automated processing would be in gaining access quickly as the identifier confirms you've already been seen/processed before. Prior to gaining the identifier, some exchange was met, and you may end up in a database before collecting your identifier as you are about to access/visit the service/event/location, or it was first in first serve for a certain amount of visitors on arrival.
1
>No. Even manual processing falls under GDPR. The full article reads :
and to the processing other than by automated means of personal data which form part of a **filing system or are intended to form part of a filing system.**
This is an organized (non electric) database
1
A bit odd you don't state **you are the site owner and create a title that looks like a 3rd party post.** You could clearly have posted here for advice, there has been some excellent feedback to others who have done so.
I've had to take legal advice on GDPR as well and believe you'd have a perfectly legitimate interest case as long as you allow users to remove themselves from your database and separate identifying and pseudonymous data so that any such users can be removed from backups or at least become pseudonymous in the process.
All I see GDPR doing to you is to remove the value the data may have for bulk emails or selling the data onwards which GDPR pretty effectively stops in the tracks.
I do agree that the EUR 20M fine is a terrible move which means large companies get away with relatively low risk whilst individuals and small business risk fines that can be multiples of their revenue.
1
Actually have been thinking that an separate database with all the change requests is accessible via API and restoring a backup would also update it based on the change list (please forget me, please freeze my data etc)
1
Are you saying that there's a difference between an explicit field in database specifying someone's ethnic origin and possibility of deriving the same ethnic origin using other data without actually storing the ethnic origin anywhere?
1
As a belated response:
* **Processing in the context of employment** is more difficult, because the GDPR largely delegates that to member state law. This could make things easier (e.g. by providing additional legal basis for processing) or more complicated (e.g. protecting employees from being forced to consent).
* As a service provider you may want to be a **Data Processor** instead of a Data Controller, because that lets you give most of the compliance obligations back to your clients. This requires that clients sign a **data processing agreement** (DPA), which lists your and their obligations and under what legal basis you will process data in non-EU countries. In practice, this contract should be based on the **Standard Contractual Clauses** published by the EU, except that the most recent version was not yet updated for the GDPR. Tip: contracts are not generally subject to copyright so you can borrow parts of the data processing agreement from other services, but you will still need a lawyer to ensure the thing is legally valid in your jurisdiction (international contract law is a bit much for lay persons like us).
* If you are a Processor you don't need to manage legal basis of processing and erasure requests yourself, you just need to **assist the Controller** (your client). In practice this should be some admin interface where data can be exported or deleted and so on.
* The third party that you send emails through should be a (sub-)processor on your behalf. You need to sign a DPA with them as well. Note that if you are a Processor, you can only change subprocessors with the Controller's consent. In practice this means that you'd alert them a month in advance and they can either accept the change or quit your service.
* Despite not being a full Controller you still have compliance obligations like keeping **Records of Processing**, essentially a table where you list all the kinds of processing you perform. Small companies are usually exempted from this, but it's a good tool anyway and you aren't exempted as the data processing is not occasional.
* As a processor, you do not need a **legal basis** for processing because you are merely performing processing on the controller's behalf at their explicit instruction. Were you to need a legal basis, **consent** shouldn't be your first choice. Instead, **legitimate interest** is often better, though that first needs a check where the data subject's interests and rights must be balanced against the controller's legitimate interest.
* The **right to be forgotten** can be tricky. To what degree it has to be honoured depends on the legal basis for processing (e.g. you can't keep any data if the basis was consent, but you may not have to honour the request at all if there is an overwhelming legitimate interest to keep the data anyway). Deleting metadata by assigning the items to “deleted user” can be a good choice. A pseudonym like “user123” can also be OK if the controller's legitimate interest requires that different items are still attributable to the same user. However, be aware that pseudonymous data is still personal data! There might also be personal data within the user-generated content, not just the metadata.
* Whether you are controller or processor, you have various basic obligations such as taking **appropriate organizational and technological measures** to ensure the security of processing. Measures should be proportional to the risks you face. You have a lot of leeway here to use your professional judgement, as long as you can explain your choices.
* Encryption in transit like TLS/HTTPS is a minimum baseline that can be expected for any website.
* Encryption at rest is more debatable, but storing your database on an encrypted filesystem is a clear best practice. To which degree this is possible also depends on your cloud provider.
* Organizational measures include things like controlling which persons have access to the database, and your internal processes you use.
* If you log in through your laptop, how do you protect the keys on the laptop? Passwords, full disk encryption, password managers… Threats might include generic spyware through viruses, APTs that are targeting your clients, or simple theft of your hardware.
* Security of processing does not only mean preventing unauthorized access/Confidentiality, but can also imply ensuring the Availability of the personal data (compare the C-I-A triad). This is not only a contractual SLA question, this is also a GDPR compliance question. For example, you may need to take frequent backups to ensure some amount of availability. Again, use your professional judgement.
1
As an American and small business owner, I have no problems with most of the privacy regulations. It's the 'right to be forgotten' bit that I take issue with. It's onerous and probably not feasible for small companies.
My site has millions of individual HTML pages for mailing list archives dating back to 1995. Everyone who has their messages in the archives gave consent, but now, if somebody changes their mind I have a *ton* of work to do. I have to search through all of those files and find which ones have their information. Then I have to remove those files and update all of the HTML pages that link to them. These aren't in a fancy database where I can just change a link -- this is raw HTML from the early days of the web.
1
As people have pointed out the human mind is clearly out of scope. But if I'm understanding this correctly the argument is that of the former employee then writes this PII into an in scope system like a file system or database then the original employer in some how at fault. This isn't the case since the data was exfiltrated through an out of scope means. That being said proving this would be difficult if a employee with a very good memory, the right access to data prior to leaving a post and a grudge could expose PII public on say pastebin and there is no way to prove how that data was exfiltrated. In these cases the company would have to fall back on to it's GDPR compliance documentation and data security documentation to prove its not in the wrong.
One final note if the employees new employer was found holding PII they didn't have the right to hold then the new employer would definitely be in the wrong.
1
At the end of the day it will be Google (to stay at that example) that has data in their database, which require consent, but to which no one has the consent. I'm no lawyer, but I don't thing that judges will care how they got into their database specificly.
I can't imagine "but they promised not to deal with anything E.U. related" would be a valid defense in court.
1
BAU - Business as Usual - the people who will have to cope with any changes you might make as a consultant after the GDPR "push" is over and it becomes a set of embedded processes.
I've done this three times for 2000, 4000 and 500 staff. In the larger companies we had a lot of databases and different types of data processing - most of it "sensitive" data. We had in the end about 10 Excel files, each one with about 10 tabs for each business area. However, we shared data with around 1000+ processors - each one required a Data Sharing Agreement!
1
be aware: they rip all your contacts to add to their database! So you share your contacts lists with them.
&#x200B;
[Website](https://findnumberapp.com/en/about)
[google play store page](https://play.google.com/store/apps/details?id=com.poztech.numberfinderapp&pageId=none)
I don't know if they are on Apple devices
1
But do I have to geo-restrict the data to the EU?
We have a prod database that lives on AWS in Canada. We'd like to continue to store personal data in the database that lives in the Canada region.
Anything involving keeping specific data in databases in specific physical regions is overly complicated and we'd like to avoid this if possible.
1
But the IMDB is not a database of famous/public/celebrity people - it is a database of people involved in the movie/tv business of which the original post apparently was in the past.
1
Change management could simply be a documentation update.
If you just want to be able to react to your database change, you can't simply avoid the need of an Impact Analysis... Which must be done prior to the change, with the DPO preferably. So change management will be a must, and an update to all processes to assess whether a full DPIA is required before starting coding.
Now all depends on how you manage your internal processes, you might probably already have a change management process in place to ensure that new code don't break anything that already works. In that case, update the process to remember to use a DPIA when needed.
1
Dont think EU has no control of over you. The law is setup in such a way to protect EU citizens from any company using their personal information.
If you have a small business or only a small portion of your customers comes from EU, you are probably right.
However, consider this. It only needs one customer to ask his information to be removed from your database. And how are you going to answer him? By not replying? That won't look good.
If you invest a day into this subject, you have the basic answers and you can professionally answer any incoming question from a customer.
1
Email is more straightforward than calls, since ePrivacy limits your options. If these are previous customers then you'd have to give them a clear opportunity to opt out at the time you collected their details. If you did that and they didn't opt out then you're likely to be OK, as long as there's an unsubscribe option in any message you send. If they're not previous paying customers then you can't email them without consent.
The ICO suggests that legitimate interests can be an appropriate basis for marketing calls as long as there has been no opt out and the number isn't registered with TPS.
However, you then need to consider the balancing test. The ICO loosely paraphrases this as considering whether people would expect you to use the data in that way, and any potential negative effects your marketing could have on the recipients. In general, a one-off "we're just working through our database checking if you're still interested" call might be OK, but if you work at a casino then calling or emailing lapsed customers might be a brilliant way to cause recovering gambling addicts to relapse. If you offer payday loans then contacting people who haven't taken a loan in a few months might perfectly target those people who are just getting their finances back in order and cause them to fall back into a cycle of spending money they can't afford.
1
Error: SQLSTATE\[HY000\] \[1044\] Access denied for user 'u685279342\_argo'@'localhost' to database 'u851190737\_argo'
Since I'm unable to read the article, I'll just say that the data subject has a lot more rights under GDPR, which suggests a lot has changed.
1
Exactly.
This works the same way for the situation where someone asks to have their Personal Data erased from someone's database. You need to record that you erased that subject's data, so you need to keep some identifiable record of it. There's even an article that talks exactly about that exception (can't remember which).
Btw, the "Cookies' law" was set before the GDPR.
1
First, don't worry: the GDPR is not about catching small fish, but about containing abuses. If you are at peace with what you do with your customer files and your payroll data (the 2 main sensitive databases in a regular company), you won't get much more than a few sweats if by extreme bad luck you get audited. The only thing that could be sensitive in a regular company is if marketing is doing some borderline things with the customer data, such as reselling it or crossing this data with other datasources behind the back of the customers. This used to be tolerated, but requires caution to do right now.
Next, you should still take the issue responsibly and proceed to actually trace and understand what is being done with personal data in your company: what data you collect, who controls it, how is it stored, what processes you run on it, and what safety/emergency procedures you have to contain security risks. This sort of internal audit is usually useful in all cases.
But first of all, your company should designate a Data Protection Officer (DPO), who will oversee the whole compliance process and be responsible for it. This person can train herself in just a few hours of browsing the web, there not much to know unless you work with sensitive data. And, depending on the size of your databases, assuming a mid-sized company with 100 employees and a few 1000's of customers, plan a few days of work doing the audit, then a few hours every other month to ensure you stay clear in the law.
1
For the record. i am not a laywer. Just a guy making his living in giving aid to companies who struggle with GDPR.
The GPDR excludes data for personal and household use. With household, think of your hobby's.
If you use business card for personal use. No problem. You don't need consent. Just like the contacts \(names and numbers of other people in your phone. They are for personal use.
However, if you store them in your company CRM database with the purpose to share information with your colleagues, this data is subject to GDPR compliance. And you need their consent. This leads to a strange catch22 situation, that **before** you accept the business card you need their consent to process their information. \(???\)
To solve this, i use common sense.
\- The business card is given out of free will, with the expectation that you use the information to contact him/her \(the intent is clear\) So you could argue there is implicit consent for you to process the information. =\> In court this will not hold, since formally you need explicit consent.
\- I have no direct financial gain in storing the personal data =\> not a solid argument, since in a business environment the contact exchanged to create some financial gain, possibly on both sides
\- If there is a contract between their company and yours, one could argue that this kind of data refers to the consequence of fulfilling the contract and thus part of the informationprocessing agreement which you needed anyway.
\- in Dutch law there is a clause 'redelijkheid & Billikheid', roughly translated as "reasonableness". The means for a heavy GDPR procedure is not in balance to the risk of a business card abuse. So a lightweight process should arguable be sufficient.
For example: I don't have formal consent, however the use and access to the CRM database is part of our regular IT security policy. And therefore I have reasonably done my best to comply to GDPR.
Feel free to comment.
1
from the perspective of the company that owns the old database.
1
GDPR breaches mean loss of confidentiality, integrity or availability of personal data of natural persons residing within the borders of the EEA. Breaches are reportable if they impact on the rights or freedoms of data subjects. So for example, a hack of a database leading to ID Theft of customers is a reportable breach. If a hospital copies medical records to a USB stick, and it's lost in the post, that's a reportable breach. If a rogue employee deletes personal data of fellow employees without authorization or permission, that's a reportable breach. If you need more help, ask about paid consulting.
1
Good question! I don't think a Geo IP from Europe would result in different results, as the results are based on the response of the website.
I am using a droplet from Digitalocean in the AMS3 (Amsterdam) data center. I am assuming you are referring to a result you've got from an Geo IP lookup database. Unfortunately Geo IP databases are often not updated in real time. You can see via [https://ping.eu/traceroute/](https://ping.eu/traceroute/) that the server is located in the Netherlands.
1
Gotcha. I come from old school mysql and its' been years to that effect to forgive me for butchering this.
So in this case you have another database (or table) that just holds deletion requests? And when you restore the main database (say your customer lists) from old backups, you run a script to delete anything in the body of data that's list in this table/database.
Ok, but the point of deleting data, or the right to erasure is so that the organization no longer has access to your old data. Right?
So effectively, your organization still has access to the old data.
I mean I can see if this is automatically done by a service provider like Salesforce, but what if your database in-house?
1
Great reply, thank you! Would you say the same applies to an otherwise anonymous IP recorded to the WordPress database by a security plugin \(like Wordfence or Sucuri\)?
Also, if the server\-log or security\-plugin record includes the User Agent string, along with the IP \(as many do\), does that change anything?
1
Guess you'd need to implement a 'quick and dirty' temporary cover up solution here, especially if your company's blocker is development availability time.
A potential suggestion could be to make a GDPR compliant duplicate of this database, and host it on a GDPR compliant server, even if this duplicate would be non functional for the system it's supposed to support; for now it can rely on the actual DB(the non compliant one)
Consider it a decoy DB.
In case that anyone comes knocking at your office door; you point out this DB. Most likely the first audit team will not be technical minded.
Be warned tho; if they send in a technical audit team they will end up finding the old DB, so you should still try and keep pushing for the actual nuke.
1
Have a privacy policy, clear and transparent information on why you keep the information for how long and who you share it with if anyone.
Have a dedicated simple update information function, subject access request with proof of identity procedure, unsubscribe function.
Don't email someone if it's not account related, like for marketing unless they specifically subscribe for it.
Encrypt all PII in your database and increase server security if you can. Check where you server is located if you don't directly host it... is it even in the EU?
Secure your db back ups also. Write up simple docs in case you face an audit in the future to show your logic, procedures, security, SAR handling plan, data removal plans, priviacy policies etc.
Take steps toward compliance at the very least.
1
He said 25% was foreign and very low from EU. So basically just a tinny little part of that 25% was from EUROPE.
“something that sounds dead simple to fix”. Since it’s so dead simple to fix you can go ahead and fix it for him them and viola problem solved. Like seriously it’s something he does in his spare time and I don’t recall him saying he serves ads on his website so why should he waste money trying to comply. He website is probably more secured than some European government databases.
“But hey, rather block 25% of your web traffic”. Thesame way you have the right to be forgotten because it’s your data, he has the right to block whatever region he wants because it’s his website. It goes both ways don’t expect to get something without giving away something. There are other big economies in the world that he can tap into.
1
Here are some recommendations;
1) Create a list of ALL data that you have
(e.g name, address)
2) A- Create a flow of where what data is coming from
(e.g website, email)
B- List who is proving the data, is this the user himself, or another firm/source that provides the data?
3) Create a flow where the data is stored, and with who it is shared
(e.g database, laptop) (Finance team, lawyer firm)
4) Check which legal base of processing your companies are under
(e.g consent, contract obligations)
Based on the above you can quickly see where are your risks that need to be fixed.
Keep in mind the information gathering can either be quick or take months depending on the size and age of your companies, but these are absolutely necessary steps to get you started.
1
Hidden fields are essentially exactly the same as text boxes, fully editable on the clients machine.
Except that you need to be very slightly IT literate to mess with them, because they are 'hidden'.
https://chrome.google.com/webstore/detail/hidden-form-finder/adglgkhcpfdcocgekhbkghpajnbgcekd?hl=en
Is just 1 example of how someone who is only barely aware of extensions could mess with it.
If you must use a hidden field, using the hidden field to store an ID that links to the content in a database would be better, as then if people mess with it, they can only mess with it to another valid value if they already know it.
Where as if the whole text is in a hidden field, I could easily change it to "I agree to give my unborn babies to AfterMorningCoffee in exchange for free fake news"
The chance is lower if it's just a javascript post request, as they would need to be seriously hunting in your scripts in order to mess with you.
But if you want the safest answer, Store the date the 'campaign' started, store the date the 'campaign' ended, store the type of campaign e.g. email, website etc, store the text used / language presented to the user in case of localization.
Then link the users consent to a campaign id.
Then in case of a dispute, you can say, Between x date and y date, we were running the following campaigns. 1,2,3,4 You agree'd to 3, which had the following text in this language on this date.
That looks a lot more professional then, "User consented their email address to us on the 25th December 2015, the text was: 'Im a smart ass hacker messing with your scripts lol'"
And you can validate that it's at least a valid campaign, and reject the consent if the ID doesn't match.
The fool proof method, would be having a session id of some kind, record what campaigns you **showed** to the user. and then validate that they consented to one that's been shown.
But most of this is probably hypothetical overkill for something that is just covering your ass in case of a dispute, and unless you are running some really dodgy sign ups, probably more effort then it's worth considering the extra data you would need to store, which is what this whole mess is about anyway.
I am just staring into the GDPR field as well. The first things that I am concerned about are structured vs unstructured data and the relevant PII concerns. There are tools from the big vendors that deal with unstructured data and content conversion plus indexing. The biggest problem I have run into is that legal teams do not have a comprehensive set of rules that define PII over other data.
I would like to see the larger firms define regular expressions and policies that define what constitutes the relevant PII vs would need to be removed. Then from an IT perspective rules/policies can be created that help govern what classifies as what would need to be removed. Conversation need to be had at the Legal Team/CEO level what constitutes what should and should not be removed.
Once the above has been determined, policies for unstructured data classification can be defined and dealt with. The structured data (I.e. Database applications) can be well defined by their developers and measures put into place where that data can be removed upon request.
1
I believe you can store such requests' associated data in a separate security database. That would be for security purposes only (legitimate usage) and therefore compliant.
It all comes down to usage though, and whether your particular case might need such a protection.
ICO UK suggests that you should retain a skeleton of the original deleted data (otherwise you can't even tell if it was ever deleted, or be there in the first place). So that's one way to go.
However if you believe in your particular case that "forgotten" requests might end in a security issue, and/or that you need to protect your firm from such issues, you can move the data from your clients' database (for example) to the security database and keep that "in the locker". Nobody will market or share that data anymore, in the original context the data IS deleted. But it will be available as per a security context only. Just keep the minimal amount of data you need and for a feasible time period, and store it very carefully and encrypted. You can also hash the entry (for example by person's name, IP or whatever your master identifier is) and therefore you can only access it if you use the original identifier in the first place (I've seen people already hashing emails like that).
If a security event occurs, you will be able to access that data as to solve the security issue, but NOT as the original usage for which you had consent. It should be within your legitimate usage rights if used solely for security.
GDPR should not be seen as an anti-security law. There is a trade-off between privacy and security, and we just have to set the fine line in the right place.
1
I concur with @NoUserLeftException \- an addition to this is that if you do send e\-mails to your users \(e.g. Direct Marketing\), you do need to obtain consent if you have not previously obtained consent from your users.
This **also** applies for current customers, because you have not enabled customers to opt\-out at the moment of sales \(i.e. untick a checkbox for consent\). If you don't obtain consent from your customers for direct marketing, then you should delete their records from your direct marketing database, only.
1
I contacted Sophos about a firewall, one of their resellers contacted me regarding that lead, which is fine and expected.
A few days later I start getting invitations to their gdpr webinars.
These continued despite my attempts to unsubscribe, it took a series of tweets showing screenshots of the while sequence to get removed from their databases.
The irony was not lost on me
1
I didnt think GDPR covered anyone but EU citizens. That means that a US citizen in an EU database only has the protections of US law. Right? I dont suddenly become an EU data subject by having my bytes pass through their servers.
1
i do have everything on the privacy policy but i cant be sure there is no one that i know that can check it
my website is on en and heb i cant be sure if i will have eu i know i will have mosly israeli players but eu i dont really know
i live in israel and will host the website on israel like the game server are host on eu i cant really be ompliant because its just game server that playing in it nothing much yes its log ip but this is mosly game server work its log it on the database for bans and sercurity and i dont know what the game server host collect
i want to try to be compliant but there is no one that can help me i did privacy policy and tos i still doing but there is no one that can really check it if i did it good
i dont really want to get fine or problems with the gdpr i see alot of israeli communtiy that have eu players but they just dont care about it
1
I do keep a complete history of user agreement version along the text and date in my database, for the sake of traceability. if a user accepts a specific version say 1.0.0, until he renew his account if there is newer version at the time of the renewal then that newer version will be the one that he has to agree to.
1
I don't see how the identifiability of the pseudonym is relevant, except at the margins. The fact that there is a pseudonym at all, which is persistent, likely makes the account Personal Data, and therefore subject to GDPR. A numeric identifier that doesn't mean anything is personal data according to GDPR if the controller can use that number to look up more info in a database.
It is possible to legally refuse authenticated data deletion requests in several circumstances. The most common is Overriding Legitimate Interest, which is a very fuzzy and flexible term, but "fraud detection" is specifically included. Ongoing performance of contract is another. Unfortunately, there's almost no guidance (other than "fraud detection") what counts as valid overriding legitimate interest.
A controller is required to balance the privacy of the data subject against their own legitimate interest. So the fact that the username is more identifiable may nudge that towards redacting the username, but it may not, depending on the circumstances. No one can hazard a guess unless you provide more info about the service, and what reasons the controller may have given for refusing the deletion request. A controller can also selectively delete some data, but retain other data they consider more important or less sensitive, in order to fulfill their overriding legitimate interest.
1
I have a privacy policy and ToS (which will need to be updated due to GDPR) but it is on a website which players who happen to join my game server may not ever visit.
As of now no one else has access to the server or database and I don't expect that to change. I don't even have e-mail addresses, only IP addresses and in-game nicknames.
I could maybe hash IPs so that I should be able to check if they match but I won't store the actual IP address. But I'd still be storing the results from geolocating the IP, so not sure hashing just the IP in the database/logs would make much of a difference.
1
I have the same question.
I don't collect any data, not even analytics and use only admob. I don't have external servers or databases and use sharedpreferences to store local info.
I have a consent dialog that informs the user about the terms of usage which exits the app if does not agree with the them.
1
I need to do more reading on this as I hadn't even considered customers, thank you. We have some spreadsheets with their outstanding orders. And a database with prices and part numbers.
1
I really like the idea.
I’ve been working on making a web app that leads you through becoming compliant.
It allows import of all database fields for you to categorise.
Then add processes, retention etc. etc.
Then it creates the complete human readable policy for you.
Maybe you and I should team up. If we joined the two together we’d have a very good sales funnel.
Start with yours. They find they are not compliant. Then pay monthly for the tool that generates 100% compliant statements.
We could work on cookie policies etc too.
What do you think?
1
I suppose that being in a database makes it a bit harder to argue that asking you to search the data is excessive, but otherwise the same applies. I don't think adding the user agent changes anything either, since we've assumed that the IP alone may be enough to identify a user.
1
I think google analytics stores a partial IP to get around it. The good thing about hashing is its one way unlike encryption. That's why passwords are hashed in databases. Hashing an IP can't be undone; meaning the value you get from hashing looks nothing like an IP and you can't use that value to get the IP back.
1
I think it depends on which type of cookie it is. I doubt that this text is GDPR compliant since they mix up different types of cookies. ("cookies for better browsing experience", "cookies for targeted advertisements",...)
See this article: https://www.cookiebot.com/en/gdpr-cookies/
In addition, always when you need an opt-in, you have to comply with Art.7(1) (source: https://gdpr-info.eu/art-7-gdpr/)
>>Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
That means you need some kind of consent database.
1
I think it would be better. Like I said, if it is in the same database and that database is restored, you lose the updates since the last backup, effectively wiping your record of processing and then breaching if the data is restored with no further follow\-up.
1
Hi thanks for the comments. We are based in the United States and write primarily for US based audiences. Nonprofits in the US have some leeway here, unless they are specifically marketing to EU residents. From Forbes: https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#3cff04d66ff2
"The organization would have to target a data subject in an EU country. Generic marketing doesn’t count. For example, a Dutch user who Googles and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply.
Accepting currency of that country and having a domain suffix -- say a U.S. website that can be reached with a .nl from the Netherlands -- would certainly seal the case."
Note: Nonprofits that collect donations online will have a lot of sensitive financial information in their database, and even if they are not required to follow GDPR guidelines for their US based donors, they should be very careful to take extra steps to protect this information.
0
I suspect you are out of luck. A quick glance at the GDPR seems to allow for databases like the IMDB to exist, see I think Chapter 3/Section3/Article17/3(d) though I am not a lawyer.
0
**Privacy policy**
**1. Introduction**
1.1 We are committed to safeguarding the privacy of our website visitors and service users.
1.2 This policy applies where we are acting as a data controller with respect to the personal data of our website visitors and service users; in other words, where we determine the purposes and means of the processing of that personal data.
1.3 We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our website, we will ask you to consent to our use of cookies when you first visit our website.
1.4 Our website incorporates privacy controls which affect how we will process your personal data. By using the privacy controls, you can \[specify whether you would like to receive direct marketing communications and limit the publication of your information\]. You can access the privacy controls via *\[URL\]*.
1.5 In this policy, "we", "us" and "our" refer to *\[data controller name\]*.\[ For more information about us, see Section 13.\]
**2. Credit : https://securign.com**
**3. How we use your personal data**
3.1 In this Section 3 we have set out:
\(a\) the general categories of personal data that we may process;
\(b\) \[in the case of personal data that we did not obtain directly from you, the source and specific categories of that data\];
\(c\) the purposes for which we may process personal data; and
\(d\) the legal bases of the processing.
3.2 We may process \[data about your use of our website and services\] \("**usage data**"\). The usage data may include \[your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use\]. The source of the usage data is \[our analytics tracking system\]. This usage data may be processed \[for the purposes of analysing the use of the website and services\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[monitoring and improving our website and services\]\] O*R \[\[specify bas*is\]\].
3.3 We may process \[your account data\] \("**account data**"\).\[ The account data may \[include your name and email address\].\]\[ The source of the account data is \[you or your employer\].\] The account data may be processed \[for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back\-ups of our databases and communicating with you.\] The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.4 We may process \[your information included in your personal profile on our website\] \("**profile data**"\).\[ The profile data may include \[your name, address, telephone number, email address, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details and employment details\].\] The profile data may be processed for \[the purposes of enabling and monitoring your use of our website and services\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at you request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.5 We may process \[your personal data that are provided in the course of the use of our services\] \("**service data**"\).\[ The service data may inclu*de \[specify da*ta\].\]\[ The source of the service data is \[you or your employer\].\] The service data may be processed \[for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back\-ups of our databases and communicating with you\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\]* OR \[\[specify b*asis\]\].
3.6 We may process \[information that you post for publication on our website or through our services\] \("**publication data**"\). The publication data may be processed \[for the purposes of enabling such publication and administering our website and services\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper administration of our website and business\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.7 We may process \[information contained in any enquiry you submit to us regarding goods and/or services\] \("**enquiry data**"\). The enquiry data may be processed \[for the purposes of offering, marketing and selling relevant goods and/or services to you\]. The legal basis for this processing is \[consent\] O*R \[\[specify bas*is\]\].
3.8 We may process \[information relating to our customer relationships, including customer contact information\] \("**customer relationship data**"\).\[ The customer relationship data may include \[your name, your employer, your job title or role, your contact details, and information contained in communications between us and you or your employer\].\]\[ The source of the customer relationship data is \[you or your employer\].\] The customer relationship data may be processed \[for the purposes of managing our relationships with customers, communicating with customers, keeping records of those communications and promoting our products and services to customers\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, namely \[the proper management of our customer relationships\]\] O*R \[\[specify bas*is\]\].
3.9 We may process \[information relating to transactions, including purchases of goods and services, that you enter into with us and/or through our website\] \("**transaction data**"\).\[ The transaction data may include \[your contact details, your card details and the transaction details\].\] The transaction data may be processed \[for the purpose of supplying the purchased goods and services and keeping proper records of those transactions\]. The legal basis for this processing is \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely \[the proper administration of our website and business\]\] O*R \[\[specify bas*is\]\].
3.10 We may process \[information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters\] \("**notification data**"\). The notification data may be processed \[for the purposes of sending you the relevant notifications and/or newsletters\]. The legal basis for this processing is \[consent\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract\] O*R \[\[specify bas*is\]\].
3.11 We may process \[information contained in or relating to any communication that you send to us\] \("**correspondence data**"\). The correspondence data may include \[the communication content and metadata associated with the communication\].\[ Our website will generate the metadata associated with communications made using the website contact forms.\] The correspondence data may be processed \[for the purposes of communicating with you and record\-keeping\]. The legal basis for this processing is \[our legitimate interests, namely \[the proper administration of our website and business and communications with users\]\] O*R \[\[specify bas*is\]\].
3.12 We may process *\[identify general category of data\]*.\[ This data may include *\[list specific items of data\]*.\]\[ The source of this data is* \[identify source*\].\] This data may be processed f*or \[specify purpos*es\]. The legal basis for this processing is \[consent\] OR \[our legitimate interests, na*mely \[specify legitimate inter*ests\]\] OR \[the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contr*act\] OR \[\[speci*fy basis\]\].
3.13 We may process \[any of your personal data identified in this policy\] where necessary for \[the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out\-of\-court procedure\]. The legal basis for this processing is our legitimate interests, namely \[the protection and assertion of our legal rights, your legal rights and the legal rights of others\].
3.14 We may process \[any of your personal data identified in this policy\] where necessary for \[the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice\]. The legal basis for this processing is our legitimate interests, namely \[the proper protection of our business against risks\].
3.15 In addition to the specific purposes for which we may process your personal data set out in this Section 3, we may also process \[any of your personal data\] where such processing is necessary\[ for compliance with a legal obligation to which we are subject, or\] in order to protect your vital interests or the vital interests of another natural person.
3.16 Please do not supply any other person's personal data to us, unless we prompt you to do so.
**4. Providing your personal data to others**
4.1 We may disclose \[your personal data\] to any member of our group of companies \(this means our subsidiaries, our ultimate holding company and all its subsidiaries\) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.\[ Information about our group of companies can be found at *\[URL\]*.\]
4.2 We may disclose \[your personal data\] to \[our insurers and/or professional advisers\] insofar as reasonably necessary for the purposes of \[obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out\-of\-court procedure\].
4.3 We may disclose *\[specify personal data category or categories\]* to \[our suppliers or subcontractors\]\[ identified at *\[URL\]*\] insofar as reasonably necessary f*or \[specify purpos*es\].
4.4 Financial transactions relating to \[our website and services\] \[are\] OR \[may be\] handled by our payment services providers, *\[identify PSPs\]*. We will share transaction data with our payment services providers only to the extent necessary for the purposes of \[processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds\]. You can find information about the payment services providers' privacy policies and practic*es at *\[URLs\].
4.5 We may disclose \[your enquiry data\] to \[one or more of those selected third party suppliers of goods and services identified on our website\] for the purpose of \[enabling them to contact you so that they can offer, market and sell to you relevant goods and/or services\].\[ Each such third party will act as a data controller in relation to the enquiry data that we supply to it; and upon contacting you, each such third party will supply to you a copy of its own privacy policy, which will govern that third party's use of your personal data.\]
4.6 In addition to the specific disclosures of personal data set out in this Section 4, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.\[ We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out\-of\-court procedure.\]
**5. International transfers of your personal data**
5.1 In this Section 5, we provide information about the circumstances in which your personal data may be transferred to \[countries outside the European Economic Area \(EEA\)\].
5.2 We\[ and our other group companies\] have \[offices and facilities\] in *\[specify countries\]*.\[ The European Commission has made an "adequacy decision" with respect to \[the data protection laws of each of these countries\].\]\[ Transfers to \[each of these countries\] will be protected by appropriate safeguards, namely \[the use of standard data protection clauses adopted or approved by the European Commission, a copy of which can be obtained f*rom \[sou*rce\]\] OR \[the use of binding corporate rules, a copy of which you can *obtain f*rom* \[source\]\] OR \[\[specify appropriate safeguards and means to* obtain a copy\]\].\]
5.3 The hosting facilities for our website are situated in *\[specify countries\]*.\[ The European Commission has made an "adequacy decision" with respect to \[the data protection laws of each of these countries\].\]\[ Transfers to \[each of these countries\] will be protected by appropriate safeguards, namely \[the use of standard data protection clauses adopted or approved by the European Commission, a copy of which you can obtain from *\[source\]*\] OR \[\[specify appropriate safeguards and means to obtain a copy\]\]*.\]*
5.4 *\[Specify category or categories of supplier or subcontractor\]* \[is\] OR \[are\] situated in *\[specify countries\]*.\[ The European Commission has made an "adequacy decision" with respect to \[the data protection laws of each of these countries\].\]\[ Transfers to \[each of these countries\] will be protected by appropriate safeguards, namely \[the use of standard data protection clauses adopted or approved by the European Commission, a copy of which can be obtained f*rom \[sou*rce\]\] OR \[\[specify appropriate safeguards and means to obtain a copy\]\]*.\]*
5.5 You acknowledge that \[personal data that you submit for publication through our website or services\] may be available, via the internet, around the world. We cannot prevent the use \(or misuse\) of such personal data by others.
**6. Retaining and deleting personal data**
6.1 This Section 6 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
6.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6.3 We will retain your personal data as follows:
\(a\) *\[personal data category or categories\]* will be retained for a minimum period o*f \[perio*d\] followin*g \[dat*e\], and for a maximum period *of \[peri*od\] follow*ing \[d*ate\].
*\[additional list items\]*
6.4 In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
\(a\) the period of retention of *\[personal data category\]* will be determined based o*n \[specify criteri*a\].
*\[additional list items\]*
6.5 Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
**7. Amendments**
7.1 We may update this policy from time to time by publishing a new version on our website.
7.2 You should check this page occasionally to ensure you are happy with any changes to this policy.
7.3 We \[may\] OR \[will\] notify you of \[changes\] OR \[significant changes\] to this policy \[by email or through the private messaging system on our website\].
**8. Your rights**
8.1 In this Section 8, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
8.2 Your principal rights under data protection law are:
\(a\) the right to access;
\(b\) the right to rectification;
\(c\) the right to erasure;
\(d\) the right to restrict processing;
\(e\) the right to object to processing;
\(f\) the right to data portability;
\(g\) the right to complain to a supervisory authority; and
\(h\) the right to withdraw consent.
8.3 You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.\[ You can access \[your personal data\] by visiting *\[URL\]* when logged into our website.\]
8.4 You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
8.5 In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: \[the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent\-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed\]. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: \[for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims\].
8.6 In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
8.7 You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
8.8 You have the right to object to our processing of your personal data for direct marketing purposes \(including profiling for direct marketing purposes\). If you make such an objection, we will cease to process your personal data for this purpose.
8.9 You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
8.10 To the extent that the legal basis for our processing of your personal data is:
\(a\) consent; or
\(b\) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract,
and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine\-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
8.11 If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
8.12 To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
8.13 You may exercise any of your rights in relation to your personal data \[by written notice to us\] OR \[by *\[methods\]*\]\[, in addition to the other methods specified in this Section 8\].
**9. About cookies**
9.1 A cookie is a file containing an identifier \(a string of letters and numbers\) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
9.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
9.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
**10. Cookies that we use**
10.1 We use cookies for the following purposes:
\(a\) \[authentication \- we use cookies \[to identify you when you visit our website and as you navigate our website\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(b\) \[status \- we use cookies \[to help us to determine if you are logged into our website\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(c\) \[personalisation \- we use cookies \[to store information about your preferences and to personalise the website for you\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(d\) \[security \- we use cookies \[as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(e\) \[advertising \- we use cookies \[to help us to display advertisements that will be relevant to you\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\];
\(f\) \[analysis \- we use cookies \[to help us to analyse the use and performance of our website and services\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\]; and
\(g\) \[cookie consent \- we use cookies \[to store your preferences in relation to the use of cookies more generally\]\[ \(cookies used for this purpose are: *\[identify cookies\]*\)\]\].
*\[additional list items\]*
**11. Cookies used by our service providers**
11.1 Our service providers use cookies and those cookies may be stored on your computer when you visit our website.
11.2 We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at: [https://www.google.com/policies/privacy/](https://www.google.com/policies/privacy/).\[ The relevant cookies are: *\[identify cookies\]*.\]
11.3 \[We publish Google AdSense interest\-based advertisements on our website. These are tailored by Google to reflect your interests. To determine your interests, Google will track your behaviour on our website and on other websites across the web using cookies.\] OR \[We publish Google AdSense advertisements on our website. To determine your interests, Google will track your behaviour on our website and on other websites across the web using cookies. This behaviour tracking allows Google to tailor the advertisements that you see on other websites to reflect your interests \(but we do not publish interest\-based advertisements on our website\).\] You can view, delete or add interest categories associated with your browser by visiting: [https://adssettings.google.com](https://adssettings.google.com/). You can also opt out of the AdSense partner network cookie using those settings or using the Network Advertising Initiative's multi\-cookie opt\-out mechanism at: [http://optout.networkadvertising.org](http://optout.networkadvertising.org/). However, these opt\-out mechanisms themselves use cookies, and if you clear the cookies from your browser your opt\-out will not be maintained. To ensure that an opt\-out is maintained in respect of a particular browser, you may wish to consider using the Google browser plug\-ins available at: [https://support.google.com/ads/answer/7395996](https://support.google.com/ads/answer/7395996).\[ The relevant cookies are: *\[identify cookies\]*.\]
11.4 We use *\[identify service provider\]* to *\[specify service\]*. This service uses cookies for *\[specify purpose\(s\)\]*. You can view the privacy policy of this service provider at *\[URL\]*.\[ The relevant cookies are: *\[identify cookies\]*.\]
**12. Managing cookies**
12.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up\-to\-date information about blocking and deleting cookies via these links:
\(a\) [https://support.google.com/chrome/answer/95647?hl=en](https://support.google.com/chrome/answer/95647?hl=en) \(Chrome\);
\(b\) [https://support.mozilla.org/en\-US/kb/enable\-and\-disable\-cookies\-website\-preferences](https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences) \(Firefox\);
\(c\) [http://www.opera.com/help/tutorials/security/cookies/](http://www.opera.com/help/tutorials/security/cookies/) \(Opera\);
\(d\) [https://support.microsoft.com/en\-gb/help/17442/windows\-internet\-explorer\-delete\-manage\-cookies](https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies) \(Internet Explorer\);
\(e\) [https://support.apple.com/kb/PH21411](https://support.apple.com/kb/PH21411) \(Safari\); and
\(f\) [https://privacy.microsoft.com/en\-us/windows\-10\-microsoft\-edge\-and\-privacy](https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy) \(Edge\).
*\[additional list items\]*
12.2 Blocking all cookies will have a negative impact upon the usability of many websites.
12.3 If you block cookies, you will not be able to use all the features on our website.
**13. Our details**
13.1 This website is owned and operated by *\[name\]*.
13.2 We are registered in \[England and Wales\] under registration number *\[number\]*, and our registered office is a*t \[addres*s\].
13.3 Our principal place of business is at *\[address\]*.
13.4 You can contact us:
\(a\) \[by post, to \[the postal address given above\]\];
\(b\) \[using our website contact form\];
\(c\) \[by telephone, on \[the contact number published on our website from time to time\]\]; or
\(d\) \[by email, using \[the email address published on our website from time to time\]\].
*\[additional list items\]*
**14. Data protection officer**
14.1 Our data protection officer's contact details are: *\[contact details\]*.
**Free privacy policy: drafting notes**
This is a standard website or web app privacy policy, which will help you to comply with data protection legislation, and has been updated for the General Data Protection Regulation \(also known as the GDPR\).
This policy covers the following matters \(amongst others\): the collection of personal information; the use of that personal information; the legal bases for the processing of that information; disclosures of that personal information to third parties; international transfers of personal information; and the use of cookies on the website.
This document might not be suitable for you if the ways in which you use personal information are complex or unusual.
In any event, there are many aspects to data protection compliance. Publishing a privacy policy or statement containing the relevant information is only one aspect \- albeit an important aspect \- of compliance.
**Section 1: Introduction**
**Section 1.1**
Optional element.
**Section 1.2**
"Personal data" is defined in Article 4\(1\) of the GDPR:
"\(1\) 'personal data' means any information relating to an identified or identifiable natural person \('data subject'\); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
**Section 1.3**
Optional element.
The inclusion of this statement in your privacy policy will not in itself satisfy the requirements of the Privacy and Electronic Communications \(EC Directive\) Regulations 2003 as regards consent to the use of cookies. Guidance concerning methods of obtaining such consent is included on the Information Commissioner's website \(http://www.ico.gov.uk\).
**Section 1.4**
Optional element.
**Section 1.5**
Optional element.
**Section 2: Credit**
**Section: Free documents licensing warning**
Optional element. Although you need to retain the credit, you should remove the inline copyright warning from this document before use.
**Section 3: How we use your personal data**
Article 13\(1\) of the GDPR provides that:
"\(1\) Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: ... \(c\) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; \(d\) where the processing is based on point \(f\) of Article 6\(1\), the legitimate interests pursued by the controller or by a third party".
Article 6\(1\)\(f\) of the GDPR provides that:
"\(1\) Processing shall be lawful only if and to the extent that at least one of the following applies: ... \(f\) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
**Section 3.1**
Article 14 of the GDPR, which applies where personal information is not obtained from the data subject, provides that information about "the categories of personal data concerned" must be supplied to data subjects.
Article 13 of the GDPR, which applies where personal information is obtained from the data subject, does not include an equivalent provision.
Nonetheless, we have included references to general categories of data in this document, because this facilitates the identification of particular purposes of processing and the legal bases of processing \- information which
body
score (Sum)
Loading...
IT Ops Topic: Penalty
Showing 26 rows, 1 columns
body
score (Sum)
>> There should be nothing onerous for a small business.
A redesign of the system landscape is not onerous? ("Privacy by design")
The research a one-man-show has to do for the gdpr changes is also not onerous? What about the concepts and all the bureaucracy you have to do (like all the mandatory documentation). What about the costs? If you have a question to a lawyer, it's from 350€ upwards. If you have multiple questions, you could pay very quickly, 2000€ or more.
Since two months, I cannot proceed with my work because of gdpr and I'm still not finished. I already thought about cancelling all my work of the last 3 years because all this anger isn't it worth. Luckily, our government had weakened the gdpr in our country a little bit (warning instead of penalty and so on). I hope that EU will not fuck our country for this.
Data privacy yes, but one can overdo it. And as you can see, exactly the small ones are upset while Google has no problem to reorganized their whole privacy data infrastructure and products (whereby they are still not finished, see for example AdMob).
6
*On the 21st of January 2019, the CNIL issued a penalty of 50 million euros against GOOGLE LLC under the GDPR for lack of transparency, unsatisfactory information and lack of valid consent for the personalisation of advertising.*
5
Definitely against GDPR as you know where and when an individual is going to be present there. You'd have thought the booking software company would want to fix it as they are going to lose customers if they don't!
You could complain to the gym first in writing so it's documented (rather than the chats you've had so far) and say that it's in breach of GDPR and will be reported to your data protection department if they don't fix it. (If it's a chain of gyms, CC in the headquarters as that'll probably help more.) You should then contact your data protection agency for your country if they refuse to do anything as they are willingly breaking the law then. Penalty could be up to 4&#37; of turnover but would probably be a lot less as it's not overly sensitive data (and you can only see the data if you're a member yourself) and then it would have to escalate get to that stage first. The threat of a fine is what gets businesses moving, not the fine itself!
Some problems:
Question 1) There aren't a definitive 'number of steps' to become GDPR compliant. You can cut that cake into a number of pieces, and it's a different cake for each business.
2) The *maximum* penalty is either 2% of annual income or €10M (whichever is greater), OR 4% of annual income, or €20M, depending upon the type of violation.
3) 'Avoiding a breach' and 'protecting citizens' are two parts of the same thing. If citizens' data is stolen, then that's a violation of privacy.
4) I'm not taking this stupid quiz any more.
4
It’s all about passion, if it’s not there it can be a boring job.
When I joined the privacy team at my company I got a significant pay rise but a significant drop in position, now I am one of the team working under the DPO. I often stand in at meetings for her due to my experience and the best feedback I have had is about my passion about the subject and ability to make it less boring. Try have a bit of fun with it, I always like to open meetings with a bit of a dig at the law and, if I have one, a little story about a piece of case law, a penalty or something from my own experience. As long as the basics are right, a bit of comedic licence helps increase interest.
3
Thanks pperca.
* A 4% penalty on total revenue for a website in the US being sued by an EU entity? Whew. That is far-reaching and unfair, but whatever thanks for the clarity on that.
* When GDPR becomes global I'll address it. I'm worried about user disruption know what I mean? I don't want my clients to have to click any button. Know what I mean?
* Yes, I'm going to address set up a privacy policy.
* No we don't do online payment. We are an auto repair business.
* Right, a clear Terms of Service page with an "I agree" button.. ok.. The problem is it'll be a page linked from the footer. Nobody will read it and nobody will click the button.
* In respect to GDPR not applying to my business. I'm reading over and over again that it does apply because there's always that chance that 1) A site visitor could come from the EU. 2) A physical customer could be visiting the USA on a visa and come to our shop. Now I'm getting mixed signals.... UG!
* I agree that getting hit with a fine is small. Attorneys don't wait for business they look for it and you know they are salivating over GDPR. Its a money maker of epic proportions. Maybe not now but later. Trust me.
3
Yes, it affects free site owners too. They can impose a financial penalty which is not based on revenue... and under UK law, directors of companies (or owners of services) are personally liable. For example, UK charities are not exempted from GDPR.
3
> Hello, does GDPR apply to individual small site owners that have free sites?
Yes it does if you process or store PII (Personal Identifiable Information)
> I have a website where people can register and post advertisement listings for free, the entire site is free and there is no payment for anything.
No payment does not exclude you from GDPR (otherwise Google would be excluded too.)
> I am not a business or organization, does GDPR still apply to me?
GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. (So yes it still applies to your website.)
>if yes how would they fine a site for 4% of annual income if there is 0 income?
The maximum penalty is 20 million euros or 4% of annual revenue (cashflow) **whichever is higher.**
Note that this is the maximum penalty, which I suppose is for repeatedly offenders.
> I googled it and weirdly there is absolutely no info about this
If you try to find information that you are exempt from GDPR, than that is something you will not find.
As you state in other post you process email addresses. As I assume these email addresses are used to login to the site (where login allows you to add/edit/remove posts.) One could argue that the email address is functionally required for the user to make use of the site functionality.
One of the exceptions is:
> processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
> Does Google Analytics counts as storing personal data? since i can't identify someone through GA.
As I have understood Google Analytics itself does not contain PII, but if you can combine GA data with other data (E.g. the forum userid) then it is.
> Am i liable if users publish personal info like phone number in listings that can be viewed by anyone?
I don't know. One could argue that if persons publish their own PII that this counts as explicit consent. However I don't know if this is according to the letter of GDPR.
The most I would worry about GDPR is the "right to be forgotten", can a user remove all their (PII) data from your site.
2
It's very unlikely a regulator will come after you for a first mistake, or even consider issuing a penalty against a small organization without numerous opportunities for that organization to reform its ways.
The main target is big organizations; however, that hasn't stopped the understandable panic and for that the EU is squarely responsible. It hasn't been anything like forthcoming enough about how it affects smaller organizations - they only want Facebook, Google, et al.
2
You can't sue them because it is up to the authorities to find them either compliant or non-compliant, and in the case of non-compliance to determine the penalty. You can only report them to the authorities to alert them of possible non-compliance.
[Article 77](https://gdpr-info.eu/art-77-gdpr/) grants you the right to report non-compliance.
Article 82 states that the authorities will only you award you compensation if you suffered damages.
2
> "While this still doesn’t match the GDPR’s standard of such a fine (4% annual global turnover) it shows that DPA’s are taking matters seriously."
It is a maximum penalty. It can obviously be less, based upon the circumstances of the specific case.
1
> A 4% penalty on total revenue for a website in the US being sued by an EU entity? Whew. That is far-reaching and unfair, but whatever thanks for the clarity on that.
That's max. They don't start there. That's only for egregious situations where all attempts to ensure compliance have been met with a thumb to the nose.....
1
Basically I'm trying to find evidence that the university after disproportiantely with regards to my penalty for academic misconduct. As such I want to see the outcome letters for all cases of academic misconduct within the last 3 years I was at university. The personal data in the outcome letter would be the names of students and their student ID and I have asked for this to be redacted so they can not be identified.
1
I think you should checkout this blog as well [https://www.compliancehome.com/french-cnil-data-protection-agency-sanctions-google-with-e50m-penalty-for-gdpr-breach/](https://www.compliancehome.com/french-cnil-data-protection-agency-sanctions-google-with-e50m-penalty-for-gdpr-breach/) as I've found this blog best of GDPR data breach penalty. I was delighted to know about their satisfaction.
1
If the business isn't actively catering towards EU users(perhaps easier to think of a site in Japan that's in the Japanese language with a co.jp TLD, no content that is EU related), they're not required to respect the GDPR just because an EU user accesses their site.
Highly unlikely any attempt to commenced legal action in regards to a GDPR violation is going to matter.
Should that business later decide they want to expand into the EU market and it's users, obviously they would then have to give a shit and comply.
If the EU wants to pack a sad and be a bully by marking foreign businesses that are clearly not interested in the EU to judge them negatively upon that business wanting to later enter the EU market and accommodate their laws at that point, it'd be a rather laughable decision.
I suppose you're fond of the whole PC culture and SJW that came out about from that? Imagine if that were more enforced as a law from a foreign country with high penalty fees, where you have to ensure you respect your users and don't offend them while catering to their needs to be inclusive. That'd be a shit show.
Perhaps China shouldn't have closed the world out with their internet in the mainland. Perhaps they could follow EUs approach and attempt to enforce their laws onto foreign countries too?
I don't really know where this thread is going tbh. Respecting users privacy is great, but scenarios where a foreign law can have such an impact on you when you have no operational interest for whom those laws are designed to "protect", it's not right, nor something I'd encourage more of.
1
Really? I can think of one international company, Agregatre IQ in Canada (the Cambridge Analytica Scandal).
[https://ico.org.uk/action-weve-taken/enforcement/aggregate-iq-data-services-ltd/](https://ico.org.uk/action-weve-taken/enforcement/aggregate-iq-data-services-ltd/)
&#x200B;
And if the company has a company in the dpa's country, they will go after them, or use other enforcement powers there - for example Uber - [https://ico.org.uk/media/action-weve-taken/mpns/2553890/uber-monetary-penalty-notice-26-november-2018.pdf](https://ico.org.uk/media/action-weve-taken/mpns/2553890/uber-monetary-penalty-notice-26-november-2018.pdf) oh and Equifax - [https://ico.org.uk/action-weve-taken/enforcement/equifax-ltd/](https://ico.org.uk/action-weve-taken/enforcement/equifax-ltd/)
&#x200B;
Facebook ... ;-)
&#x200B;
There are international treaties that are enforcable, so if the regualtors or individuals want to, can afford to, action will be taken.
&#x200B;
The FTC who are resonsible for Privacy Sheild are pretty weak, but they do enforce and have prosecuted US companies that have said they wrere on the PS list and were not. But, that's another barrel of fish. Also, if you want to do business in the EU, then due dilligence checks on processors or joint controllers would show a lack of "suffcient guarantees".
&#x200B;
WE also have Convention 108, outside of the EU framework, covering of Data Protection as well, this is what the UK will use if it exits the EU. [https://www.coe.int/en/web/data-protection/convention108-and-protocol](https://www.coe.int/en/web/data-protection/convention108-and-protocol)
alongside the UK GDPR and DPA 2018.
&#x200B;
And in the UK, the ICO approach in year one, is easy does it, in year 2 they are focusing on enforcement - whatever shape that takes, not just fines.
&#x200B;
Peace dudes :-D
1
Take a risk based approach of all of the options that you have - i.e. have a checkbox being the easiest, cheapest but least reliable vs having a parent scan their identification which is also relatively cheap and more reliable but introducing more risk. It would be good to get some additional context but i would strongly advice that you don't ask for payment card data as you are then going into PCI territory. Weigh up the pros and cons and fully evidence your decision so that if a complaint was raised, you can then work with the ICO (if in the UK) to establish a plan for bringing it in line as opposed to making a decision without justification which is more likely to give you a penalty.
1
This os usually how it works, either with guidance or a the penalty being for the company to implement the proper process. The ICO doesn't receive money from fines and take a very proportionate approach. They dealt with 17,300 cases and fined 16 times last year.
1
Wow, I may be missing something, but that case seems pretty crazy.
>"III.4. Der Aufnahmebereich der Bildaufnahmen der gegenst√§ndlichen Kameras erstreckt sich wie
festgestellt – neben dem unmittelbaren Eingangsbereich zum Wettlokal „[…]“ – auch auf weite
Bereiche des öffentlichen Raumes vor demselben, konkret auf öffentliche Verkehrsflächen in
einer Reichweite von ca. 20 Metern, wobei auf den Bildern Fahrzeuge und deren
Kennzeichentafeln sowie Personen (Passanten) wahrgenommen werden können. Da von der
Bildaufnahme ein großer Bereich des vor dem Lokal liegenden öffentlichen Raumes erfasst wird
und zufällig dort vorbeikommende Verkehrsteilnehmer – bei welchen es sich naturgemäß nicht
ausschließlich um Kunden des Wettlokals handeln muss – vernünftigerweise nicht damit
rechnen müssen, aufgenommen zu werden, verstößt der Betrieb der Bildaufnahme gegen die in
Art 5 normierten Grunds√§tze."
They received a 2,400€ penalty because they set two visible security cameras to cover the entrance area of their business, and one of those also covered a public parking area with five parking spaces, where you could see licence plates. How many hundreds of thousands, if not millions of security cameras do exactly the same thing? How is one supposed to only cover such a specific area, stick tape all over a camera?
I realise that there are other elements of the total 4,800€ penalty, such as inadequate signage and a failure to delete the data after 72 hours, but it still seems a pretty bizarre application of the law to me.
1
Yeah some of the areas are complete legalese. But a significant portion of the law is just setting up how the different regulatory bodies will work etc and isn't really applicable for most organisations or individuals.
All that you described is just describing a group of companies I believe, and determining where the liability follows. From what I can tell it is found in a lot of other EU law.
But remember the recitals just interpret the law, read all the articles first and use the recital linking to the article to guide you.
Article 84 alludes to the various powers, which are left to the regulators. I am mainly going off the ICO.
Article 84
Penalties
1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
The ICO have draft regulatory guidance (https://ico.org.uk/media/about-the-ico/consultations/2258810/ico-draft-regulatory-action-policy.pdf) on their approach to their powers. Here are some useful bits, but they whole thing is worth reading:
"When we will issue Assessment Notices
We serve an assessment notice where we deem it necessary to gauge compliance with the provisions of the DPA or the NIS Directive because:
• we have conducted a risk assessment or other regulatory action, which indicates a probability that personal data is not being processed in compliance with the DPA, together with a likelihood of damage or distress to individuals; or
• it is necessary to verify compliance with an enforcement notice; or
• communications with or information (e.g. news reports, statutory
reporting or publications) about the controller or processor suggest that they are not processing personal data in compliance with the DPA; or
• the controller or processor has failed to respond to an information notice within an appropriate time.
"When we will issue Enforcement Notices
Enforcement notices may be issued in the circumstances set out in [clause 146 of the Data Protection Bill] (e.g. where a data controller or processor has breached one of the data protection principles, where a certification provider or monitoring body for a code of conduct is failing to meet their obligations, or where a digital service provider has suffered a notifiable incident under the NIS Directive).
The purpose of an enforcement notice is to mandate action (or halt action, such as processing or transfer) to bring about compliance with information rights and/or remedy a breach. Failure to comply with an enforcement notice invites further action, including the possibility of the ICO issuing a civil monetary penalty. "
"In the majority of cases we will reserve our powers for the most serious cases, representing the most severe breaches of information rights obligations. These will typically involve wilful, deliberate or negligent acts, or repeated breaches of information rights obligations, causing harm or damage to individuals. In considering the degree of harm or damage we may consider that, where there is a lower level of impact across a large number of individuals, the totality of that damage or harm may be substantial, and may require a sanction."
1
You can have a screenshot of the map and offer click-through to an interactive map, or use OpenStreetMap. Apple Maps recently started offering their maps with strong privacy guarantees. You can compare vendors and select the one you think offers the best privacy. YouTube has a privacy-enhanaced embed widget which isn’t fully GDPR compliant but is still better than using the default one in terms of the data that is collected.
You need to sign a data processing agreement with the vendor that limits what they can do with the data. As the website publisher, you’re responsible for their behaviour so you want to have it in writing. Otherwise you alone are responsible for whatever they do today or in the future. Many companies offer standard data processing agreement contracts that lays out what data you can send them and what they do with the data.
Once you have that in order, you can introduce a consent-click gateway that the visitor can click-to-agree to sharing data with the vendor and load the widget. You have to get separate consent for individual purposes (serving ads/marketing, geolocation, personalization, etc.), communicate which purposes you’ve gotten consent with to the vendor using their consent-collection APIs, and keep in mind that [prechecked checkboxes](https://www.reddit.com/r/gdpr/comments/b4hatx/prechecked_cookie_boxes_dont_count_as_valid) aren’t enough. “Click to load YouTube video and agree to the Google Privacy Policy” isn’t enough as YouTube collects data for all sorts of purposes (recording in user’s history, ad selection, service personalization, search personalization, etc, etc.) that all require separate consent.
There will be a noticeable delay after the user has given their consent since you can’t preload JavaScript libraries or anything from the vendor prior to getting consent (IPs are personal data in many contexts). You my be better off with linking to their website as your visitor then beleive that it’s the third-party site that is slow and not your website. (An example of perceived performance design by [reassigning the blame for the performance penalty](http://babich.biz/progress-indicators/#systemorcustomloopedanimation).)
The best practice (in terms of user experience and legal risk) really is to do as much as possible yourself. Then you can just avoid collecting any data and don’t need to maintain relationships with third-party companies.
1
You need to comply with all laws or risk some form of penalty.
The law has the mantra; only chase those with deep pockets. I doubt many ambulance chasers are interested in small players.
1
I hope Europe goes after them. $2 billion penalty (4%).
But a breach doesn’t prove negligence so it’s not a sure thing by any means.
0
When people buy a service from a company, for exemple access to news, both parties have a mutual contract extending over an agreed period of time (4 weeks for 99c as of their website today).
If the company selling services refuses to comply to the law of the country where the consumer is living, while having sold their product to the consumer, it is a crime.
They might eventually reimburse customers, but they can be held accountable for a reduction in services that the consumer did not agree to when signing up.
Creating systems that benefit society and fining outlaw corporations that refuse to comply to laws is the opposite of authoritarian (compare to: countries where the death penalty is still a thing).
Laws should be made for and by the people, not for and by corporations.
0
Zuckerberg is that you?
The largest fine so far took 7-8 months from start to finish: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
0
body
score (Sum)
Loading...
IT Ops Topic: Data Center
Showing 12 rows, 1 columns
body
score (Sum)
Of course not, that’s not the point. I would never suggest you need a data center in EU, but if you get customers from EU (and let’s over simplify and say that it’s not occasional, that you accept payments in euro for example) you have to comply with GDPR - which doesn’t mean having data centres in EU but just follow the rules
5
Doesn’t Facebook have a data center in Ireland? If so, it puts them firmly under GDPR.
2
B is a data processor, since B is storing the data. They are hosting the data in their data centers. Even if they have no access at a software level to the data, they could in theory remove the data (storage media) and delete ( shred or recycle the hard drives) and this in turn would affect your data availability but the integrity of the data as well.
1
Good question! I don't think a Geo IP from Europe would result in different results, as the results are based on the response of the website.
I am using a droplet from Digitalocean in the AMS3 (Amsterdam) data center. I am assuming you are referring to a result you've got from an Geo IP lookup database. Unfortunately Geo IP databases are often not updated in real time. You can see via [https://ping.eu/traceroute/](https://ping.eu/traceroute/) that the server is located in the Netherlands.
1
I disagree with this (though maybe not in the case of MFP since they are a pretty big company and can easily take on the cost).
We have a single datacenter in the US and we occasionally get users from the EU who want to buy some of our stuff. We're telling them - "sure you can buy but FYI the server is in the US so your data is stored here".
Is everyone supposed to open a secondary data center in the EU?
1
I think they would probably argue that it was necessary for the provision of service (art 6.1b). I'm not sure on Twitters operations, but Id guess they have data redundancies all over the world to maintain the service if one data center went down. To do that, they'd have to copy your data to all of these.
1
Interesting. Likely means that they're going to be opening/will have to build and open an EU data center.
My advice - follow up on this and try to get an exact time frame (or at least if this can be expected before the date of enforcement). Also, keep tabs on it. Once the GDPR hits mainstream news, you're going to undoubtedly have a large number of customers and consumers that wish to exercise their rights to be forgotten, data portability, data transparency, rights to audit, etc, against EU companies. And then there's gonna be that subset that expects the instant compliance and won't hesitate to contact the regulatory agency if they don't get it in as timely a fashion as possible.
Just make sure that all of your bases are covered. Businesses are in for a rough ride over there in the EU.
1
just got off the phone with my lawyers, they basically told me to either
a\) comply and ask users for permission to 'transfer data outside of country/region' with explicit info saying that 'us laws may be less protective of users data than eu' \- requires a checkbox
b\) change to a provider with eu data centers
c\) 'forget' to explicitly ask \- they did not recommend that option
this is ridiculous, there are no eu alternatives that are as good as twilio and postmark, also when usa comes up with their legislation ill propably have to go another way round :D
1
Nope.
A host is a processor. A search engine is a controller in the sense that they own the search results.
Say Google didn't have their own data centers... it's the equivalent of having their host go into Google's database and remove the results. Google is also potentially technically both their own processor and controller when it comes to their search engine and results.
1
Not a lawyer, not legal advice.
In our case we did it without privacy shield by using Explicit Consent (and making relevant changes in the privacy policy), which I think might be overkill but still. [LINK] (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/)
" A transfer, or set of transfers, may be made where the transfer is:
made with the individual’s informed consent;"
When signing up, there is a specific full-page form that asks our EU users if they are OK with storing the data in US servers which have lower privacy than the EU. There's even a little American flag there. For existing users, we've been telling them they have until May 25th to give consent for US transfer or their accounts will be wiped. Most of them gave it FYI. There is also a place where they can revoke consent in which case we apply erasure.
Re (2) in your question, I think this is meant to apply for AWS members in the EU that are using US data centers. Not for actual end users.
We also looked into getting Privacy Shield but at least in our own analysis, it looked like it would expose us to more liability than not joining it. Also, it's still not clear how the GDPR authorities plan on actually imposing fines on US companies that have no EU presence, but being in the Privacy Shield means they can ask the FTC to punish you (as far as I understand). For now we'll wait and see.
1
This is a valid concern. In the real world it's usually just a data center employee unplugging a cord and forgetting to plug it back in.
EIG knocked my server offline and moved all my sites from Texas to a server in the Provo Utah data center on the 4th of July with new IP addresses without telling me. I had to change my holiday plans to figger out what happened. I don't use them anymore.
The data center will normally just give you a discount next month. They assume you have a backup. If you pay them to do the backup, then they'll have it on a different server but it's usually at the same data center.
I'm not very worried about someone destroying my server, I could get everything back up and running from backups, it would just be stressful and take me all day (and probably all night). What I care about is the data saved between the backup and the outage event.
There's usually multiple hosting companies at the same data center, you get the best service if you host with the company that actually owns the data center. Currently I have a server at the data center in Lansing Michigan with no problems whatsoever, only 2 minutes of downtime this year, first downtime was for the Spectre/Meltdown fix in January, 2nd downtime was for an OS update. 2 minutes a year ain't bad.
1
I agree with this and as a US company, we did do the necessary GDPR changes and have a process to respond to DSRs.
However, our data center is still in the US. We ask that permission as the first consent and we don't give the users any real choice (other than exiting). And realistically, if the US government comes asking us for information about EU citizens with court orders, gag orders and whatnot, we'll probably cough it up.
I understand this is contrary to the spirit of GDPR (i.e. using the site shouldn't be conditional on consent). But we don't really have a choice.
MFP is a bigger company so I imagine they could easily open up a DC in Europe.
But stonewalling users who don't agree to data transfer to US territories seems like the only way to go if you only have servers in the US.