Domain: gdpr-info.eu
Stories and comments across the archive that link to gdpr-info.eu.
Comments · 14
-
Re:Worthless
I believe you haven't read Article 7, section 4 of the GDPR.
https://gdpr-info.eu/art-7-gdp... -
Re: prefer cash
2. Write to bank instructing them to immediately halt all sharing of your data with these organisations as is your legal right under Article 18 of the EU GDPR. https://gdpr-info.eu/art-18-gd...
Kinda funny you post a direct link to the document and yet it's clear you either haven't read it or don't possess an adult level of reading comprehension.
I read it and it's quite clear that as long as the data is accurate, necessary for the collector to conduct business, and not illegally obtained, they can tell you to go suck a bag of dicks.
There are all sorts of reasons your bank might need to share data with a 3rd party. Credit reporting, collections, etc... Your desire to block that apparently isn't always supreme.
I'll grant you that the EU does seem to be way more concerned with the privacy of it's citizens, at least on an economic level, but it would appear that right is not paramount to all valid reasons.
I'd further wager that if EU companies begin to suffer under the restrictions you do have, they'll be relaxed the moment it becomes clear the EU might slip in global trade.. Nobody wants to see their wealth being drained (well, besides the US obviously as we just can't seem to send enough cash to China) and nobody wants to dive into a recession. The more onerous (even if just) your laws and red tape become, the harder it is for companies to compete with low cost alternatives.
Economics and social policies tend to act a bit like a pendulum swinging back and forth until some reasonable middle ground is reached. But even that stability is usually short lived as times change and economic/global crises come and go.
The GDPR is a relatively new policy and nobody is sure what the total ramifications are yet. I'd be a little less cocky about it...
-
Re:the real story
The GDPR allows for decisions made by machines to be reviewed by a human on request.
That's limited to decisions "which produces legal effects concerning him or her or similarly significantly affects him or her.".
Here, there are not yet any actual effects. At this juncture they're just receiving initial letters saying that the council suspects they're falsely claiming a tax credit, and have an opportunity to show evidence to the contrary -- evidence which a human then would have to review. I highly doubt that would fall under the above definition.
-
Re: An advanced nation
Based on this article and other results of Google Search for gdpr public sector, parts of GDPR apply to government agencies; other parts do not. The requirement for entities outside the EU that do business in the EU to hire a representative in the EU pursuant to article 27 is among those that do not apply to the public sector.
-
Re:Article 27 GDPR was the breaking point
Is your website in German? Or are you relying on customers to have proficiency in English?
That depends. Does a website in English, French, and Spanish with a US mailing address appear as someone targeting Britain, Ireland, France, and Spain? My reading of the test in recital 23 shows that regulators would instead realize it is targeting USA, Anglophone Canada, Francophone Canada, and Mexico. However:
d) Are you shipping within the EU or from outside?
From outside. But if the <select> element for country in the shipping destination and billing address forms contains <option> elements referencing member states, that might count as "the mentioning of customers or users who are in the Union" per recital 23.
e) Do you actually have a subsidiary or presence in the EU.
Article 27 compliance is easier for an entity with a subsidiary in the Union because it can designate said subsidiary as its representative.
Remember you actually need to do something within a jurisdiction for that jurisdiction to apply
Does having a processor process customers' payment count as "doing something"?
get some different legal advice because the current one you're getting is making you afraid of being sued by your own shadow.
In principle, I agree. But it'll take some time for there to be enough case law that lawyers leave "avoid making yourself a test case" mode and become interested in offering a more moderate second opinion.
-
Re:Article 27 GDPR was the breaking point
Just because you are willing to put something in a box and mail it to the EU doesn't mean you're doing "business in the EU".
Article 3(2)(a) states that "offering of goods and services [...] to such data subjects in the Union" is enough to make the GDPR apply.
Rather than paying representatives companies which do business in the EU could just get their Irish accountants to handle the requests.
Correct. A company with a subsidiary in the EU can designate the EU subsidiary as its representative pursuant to Article 27.
But when you wrote your comment, were you mostly referring to multibillion-dollar companies or to small businesses with annual turnover less than $10 million?
-
Re:Article 27 GDPR was the breaking point
You only need to have a representative if you do large scale processing of tracking data mentioned in paragraph 9.1: Like race, religion, health and other categories deemed especially sensitive, and only if you haven't got prior permission.
Article 27(2)(a) (linked again for convenience) sets forth four requirements for a private sector business outside the EU that does business in the EU to be exempt from the requirement to hire a representative:
1. processing "is occasional";
2. processing does not include large-scale processing of Article 9(1) data, largely related to membership in a protected class under anti-discrimination law, which you mentioned;
3. processing does not include large-scale processing of data about criminal convictions; and
4. processing "is unlikely to result in a risk to the rights and freedoms of natural persons".The use of the word "and" in the text of the article means that processing must meet all four requirements. Even if processing meets criteria 2, 3, and 4, if it does not additionally meet criterion 1 of being "occasional," the business must either hire a representative in the EU or turn away customers in the EU. This is why a lot of small businesses outside the EU are waiting for EU judges to define "occasional" before entering or reentering the EU market.
If my analysis is incorrect, then what does the phrase "processing which is occasional" in the regulation mean, and why?
-
Article 27 GDPR was the breaking point
At what point will it no longer be worth it to business in the EU?
For many companies, that came on 25 May 2018, the effective date of Article 27 of the General Data Protection Regulation (GDPR) (text). It requires businesses outside the EU that do business in the EU to hire a representative in the EU to handle privacy requests, even if the foreign business otherwise complies with the GDPR. Representative service can cost thousands of USD per year (source).
Only "occasional" processing of personal data is exempt from the Article 27 requirement, and it remains to be seen how EU judges will interpret "occasional" in light of its lack of definition in the text of the GDPR. For example, if a business does less than 1% of its worldwide turnover in the EU, is processing "occasional" when it happens roughly twice per order, once during payment and once when the business prints a shipping label?
-
Re:Only $23.50?
Unfortunately that won't work for you since EU citizens in your country are also covered.
Nope (unless "your country" is the EU). Just read Article 3 of the GDPR.
-
Re:Download? What about delete?
I'm sure it's coming. The Data Download tool is likely a requirement to satisfy the new GDPR regulation that goes into effect in a month or so, specifically article 20 ( Right to Data Portability: https://gdpr-info.eu/art-20-gd... ). There is another requirement in the same regulation that guarantees the right to erasure ( https://gdpr-info.eu/art-17-gd... )
-
Re:Download? What about delete?
I'm sure it's coming. The Data Download tool is likely a requirement to satisfy the new GDPR regulation that goes into effect in a month or so, specifically article 20 ( Right to Data Portability: https://gdpr-info.eu/art-20-gd... ). There is another requirement in the same regulation that guarantees the right to erasure ( https://gdpr-info.eu/art-17-gd... )
-
Re:EU Type protection for all users
I just posted this down-thread, but its worth posting here as well - the "Territorial scope" is based on the physical location of the "data subject", not your status as an EU citizen.
If you are an EU citizen living in the US, you fall outside the scope of the GDPR regardless of where your data resides.
-
Re: EU Type protection for all users
Nope, its got utterly nothing to do with "being an EU citizen".
Article 3, Section 2 of the GDPR, entitled 'Territorial Scope' explicitly states:
This Regulation applies to the processing of personal data of data subjects who are in the Union...
Nothing about citizenship, everything about the physical location of the data subject. If you are an EU citizen residing in the US, you fall outside the scope of the GDPR.
-
Re:It should be regulated
New privacy laws are coming, at least in the EU. According to the General Data Protection Regulation, EU residents will, among others, have options to access and purge information collected about them come May 28th, 2018. How this will work in practice remains to be seen.