when the new GDPR entered into force. If not else, you noticed it by receiving e-mails from all quarters, partially confirming that the sender complies with the new rules or that changed its privacy policies in line with the new rules or asking for your consent to use your data.
Did those who did not write you, miss something? Did you miss something when you did not write to all people whose data you store? Well, it depends.
Those who complied with the old directive (and the national laws transposing it), do not necessarily have to do something. There are, however, three changes behind for them:
- instead of relying on a notification to their data protection authority, they themselves have to keep documentation demonstrating that they comply with the new regulation
- there are more strict and also more precise rules when someone can ask "to be forgotten" i.e. his/her data erased
- non-compliance can result in hefty fines.
Some organisations may have to nominate a data protection officer which they didn't have before.
So for whom do things change?
Those who had vague or non-comprehensive privacy statements, have to adjust them to contain all information required by the regulation.
The scope of the regulation being wider than that of the directive, overseas organisations who process personal data of EU residents clearly have to comply now. One sign of that are the notices we receive about new privacy policies - they may have indeed changed but it is also possible that only the content of the privacy statements was made comprehensive.
Finally, the biggest change can be for those, who based their personal data processing on implicit consent. The requirement for an express and informed consent was reinforced in the new regulation, leaving a pre-ticked box ticked or simply continuing to browse or to use a service does not constitute consent any more. So therefore do we get e-mails where organisations ask us to consent for the use (processing in the jargon of the regulation) of our personal data in order to be able to continue using the service.
Now this is an interesting setup as unless the data are necessary for the use of the service, the consent cannot be the condition of using it. Of course we cannot use Facebook without giving some basic data as it does not make sense and an e-mail address for contact may also be necessary. No one can be expected to deliver goods to us without knowing our address. There are, however, some questions ahead: a payment provider needs our payment card data, but a merchant (the seller) may simply redirect us to the sit of the payment provider, they do not need our card data. A convenience service can be offered to remember the card data so that we do not have to enter them again at the next purchase, but this is typically the case where this cannot be a precondition for buying. There are a number of similar cases so look forward for some disputes in the future, and not just the high-profile crusade of Mr Schrems against Facebook and now, Google and others). This crusade, however, will be subject of an article soon.
Did those who did not write you, miss something? Did you miss something when you did not write to all people whose data you store? Well, it depends.
Those who complied with the old directive (and the national laws transposing it), do not necessarily have to do something. There are, however, three changes behind for them:
- instead of relying on a notification to their data protection authority, they themselves have to keep documentation demonstrating that they comply with the new regulation
- there are more strict and also more precise rules when someone can ask "to be forgotten" i.e. his/her data erased
- non-compliance can result in hefty fines.
Some organisations may have to nominate a data protection officer which they didn't have before.
So for whom do things change?
Those who had vague or non-comprehensive privacy statements, have to adjust them to contain all information required by the regulation.
The scope of the regulation being wider than that of the directive, overseas organisations who process personal data of EU residents clearly have to comply now. One sign of that are the notices we receive about new privacy policies - they may have indeed changed but it is also possible that only the content of the privacy statements was made comprehensive.
Finally, the biggest change can be for those, who based their personal data processing on implicit consent. The requirement for an express and informed consent was reinforced in the new regulation, leaving a pre-ticked box ticked or simply continuing to browse or to use a service does not constitute consent any more. So therefore do we get e-mails where organisations ask us to consent for the use (processing in the jargon of the regulation) of our personal data in order to be able to continue using the service.
Now this is an interesting setup as unless the data are necessary for the use of the service, the consent cannot be the condition of using it. Of course we cannot use Facebook without giving some basic data as it does not make sense and an e-mail address for contact may also be necessary. No one can be expected to deliver goods to us without knowing our address. There are, however, some questions ahead: a payment provider needs our payment card data, but a merchant (the seller) may simply redirect us to the sit of the payment provider, they do not need our card data. A convenience service can be offered to remember the card data so that we do not have to enter them again at the next purchase, but this is typically the case where this cannot be a precondition for buying. There are a number of similar cases so look forward for some disputes in the future, and not just the high-profile crusade of Mr Schrems against Facebook and now, Google and others). This crusade, however, will be subject of an article soon.
Comments
Post a Comment