Some random GDPR statement

[Dollstudio]

20180525.jpg (120.16 KiB) Viewed 895 times

Source: www.latimes.com, May 25th 2018

[philpw99]

That looks so familiar to my visiting of Chinese news websites.

[skinnygamer]

As far as GDPR goes there was ample time for companies to prepare for it. The U.S. companies acting like they got sucker punched is a bit much. Then to block all EU traffic ... I don't know, that just seems a bit weak.

[Nescio50]

As far as GDPR goes there was ample time for companies to prepare for it. The U.S. companies acting like they got sucker punched is a bit much. Then to block all EU traffic ... I don't know, that just seems a bit weak.

GDPR, the General Data Protection Regulation of the European Union is in place for more than two years. Starting today it will be enforced. GDPR effects all companies that are targeting inhabitants of the EU.
So everyone had about two years to prepare themselves. As always many companies waited for the deadline. Many companies aren't ready yet.
At my place (The Netherlands) it was said that small companies don't have to worry too much right now, focus will be on the biggies. It is expected that the first company having a serious data leak will be visited by authorities and will have to prove to be compliant with GDPR and maybe get a fine. Fines can be substantial, up to 4% of turnover or 20 Mio Euros. But only the authorities can apply fines (it's governmental regulation, not private law).

Post made as a member of TDF, not on behalf of TDF Management.

[LDF]

The way the current U.S. administration operates, I wouldn't be surprised if they retaliate.

Google and Facebook, two U.S. companies, are being targeted by this 'protectionist' regulation.

[Nescio50]

The way the current U.S. administration is going, I wouldn't be surprised if they retaliate.

I don't expect this. Although the basics/background policies on privacy laws are quite different in US and EU, operational consequences are not that different. Right now EU is more on protection of personal data and US is more supporting companies who exploit data for commercial purposes, but both care about data protection.

P.S. about Facebook and Cambridge Analytica, both US Congress and EU Parliament wanted to talk to them ....

P.P.S. This is not about protectionism -there are no EU competitors for Facebook or Google- this is to protect people.

[skinnygamer]

As far as GDPR goes there was ample time for companies to prepare for it. The U.S. companies acting like they got sucker punched is a bit much. Then to block all EU traffic ... I don't know, that just seems a bit weak.

GDPR, the General Data Protection Regulation of the European Union is in place for more than two years. Starting today it will be enforced. GDPR effects all companies that are targeting inhabitants of the EU.
So everyone had about two years to prepare themselves. As always many companies waited for the deadline. Many companies aren't ready yet.
At my place (The Netherlands) it was said that small companies don't have to worry too much right now, focus will be on the biggies. It is expected that the first company having a serious data leak will be visited by authorities and will have to prove to be compliant with GDPR and maybe get a fine. Fines can be substantial, up to 4% of turnover or 20 Mio Euros. But only the authorities can apply fines (it's governmental regulation, not private law).

Post made as a member of TDF, not on behalf of TDF Management.

If I read the law correctly it's 250 employees OR 5,000 data subjects over a 12 month period to determine if a company is exempt. Also over 250 employees requires a "data dude or dudette". What I find quite interesting is the 72 hour time frame to report a breach, wonder how that will play out? Reporting your under attack is one thing (to be compliant) but actually being able to stop and repair is something else. Does that restart the clock? Or maybe I'm just reading a bit too much into that....

[Nescio50]

If I'm right the 72 hours time frame applies to reporting a data leak.

Please know that I'm not an legal expect but I'm studying this law at it's implications.

[LDF]

Nesico50:

Google and Facebook are being fined billions of dollars by the EU.

For violating a 'privacy' policy?!

Sorry, but I'm on Google and Facebook's side of this.

If you don't want to share personal information, go live off-grid in the Himalayas.

OK, I've had my rant. I hope this works itself out.

LDF.

[skinnygamer]

my post went into the ether

[Nescio50]

Nesico50:

Google and Facebook are being fined billions of dollars by the EU.

For violating a 'privacy' policy?!

All I can say is that was not based on GDPR, so it's something different.

Please don't make this a US versus EU thread. All I try is to post information about the GDPR.

[haremlover]

From what I can see most companies have their knickers in a twist about it.

Apparently there was no need to write to everyone and ask them to opt-in again, merely to write to them informing them of how to opt out. There was an article in the Financial Times last Saturday about this. Mail-Chimp users will have had half their subscription lists wiped out by the unnecessary opt-in procedure whilst in England the Conservative Party simply opted for the information email telling people how they could opt out.

Best wishes

Harem

[Nescio50]

Based on GDPR, companies can no longer use personal data based on a vague opt-out, there has to be a clear opt-in.

[skinnygamer]

Ok, I'll post again. This is not about the EU vs. the U.S., and I'm not a lawyer.

There's also the right to be removed in the GDPR as well. Well that's all well and good, on the business end of things (in the U.S.) we have to keep sales slips for a certain time frame for tax purposes. That time frame doesn't end because someone requested to be totally erased.

I've yet to get a single straight answer about that.

[EBF]

Did you check the Wiki about it, because I think that one is quite clear.

Lawful basis for processing

Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. They include:[15]

To perform a task in the public interest or in official authority.
To comply with a data controller's legal obligations.
To fulfill contractual obligations with a data subject.
To perform tasks at the request of a data subject who is in the process of entering into a contract with the controller.
To protect the vital interests of a data subject or another person.
For the legitimate interests of a data controller or a third party, unless overridden by the Charter of Fundamental Rights.

https://en.wikipedia.org/wiki/General_D ... Regulation

So you may process data to fulfill your legal obligations (in your case: check).

And from elsewhere:

Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

https://www.eugdpr.org/key-changes.html

So the right to be forgotten includes data that is no longer required for the original purpose. Since in your case the data is still needed to fulfil your legal obligations, the data stored is not included in the right to be forgotten (for the timeperiod you need it for your taxes).