Hacker News new | ask | show | jobs
by disconnected 2988 days ago
> Instead now I need to write a stupid page where I say "[MY NAME] will manage your data this and this way".

Are you referring to the Data Protection Officer (DPO) requirement?

I believe this is the relevant article: https://gdpr-info.eu/art-37-gdpr/

If I understand correctly, you only need to appoint a DPO in cases where you are either a public entity (you are not) or in cases where your site requires "regular and systematic monitoring of data subjects on a large scale", or in a couple of other special cases where you process extremely sensitive data.

Presumably you aren't doing that on "your" forum/webpage, so you don't need to appoint a DPO.

I think you are making a bit of a storm in a teacup here.
1 comments
nannePOPI 2988 days ago
You need to reveal who is managing the data in any case, which is separate from the DPO.
link
poizan42 2988 days ago
Is it Article 13.1.a we are talking about here? It says

> the identity and the contact details of the controller and, where applicable, of the controller’s representative;

See, the main question here is which identity it is that must be disclosed. The definition in article 4.7 has this to say:

> ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

What exactly falls under "other body" may be important here. What it does not say is that it must be a legal person.

Let us say that you have a forum on omgweirdfetishes.eu. You may say that the controller is The OMG Weird Fetishes Forum. Now it may be arguable that in itself counts as "other body", but generally there's the concept of "Unincorporated Association" which is just any group of people with a common purpose, it would be hard to argue that that doesn't fall under the "other body". In some countries, e.g. Denmark, an unincorporated association is even recognized as a legal entity in its own right.

So say that "The OMG Weird Fetishes Forum is driven by The OMG Weird Fetishes Forum Association. The members of the The OMG Weird Fetishes Forum Association consists of the users of The OMG Weird Fetishes Forum", and then identify the data controller as "The OMG Weird Fetishes Forum Association, contact details: webmaster@omgweirdfetishes.eu"

link
x0x0 2988 days ago
If you are this afraid to tell your customers and/or users your name, they are right not to trust you.

ps -- if you want not to be required to disclose anything under the GDPR, don't collect any personal data. No ips, usernames, access logs, etc.

link
TomMarius 2988 days ago
How do you do that, purely technically? That opens you up to even most basic attacks.
link