[lamlam]

One important thing to not about some of these points is that they don't have to be made easy for users. For example, in relation to "Abilty it export data", there doesn't necessarily need to be a feature on the website for it to be compliant. They simply need to do it if you ask. So if that means having someone manually run a query to get a data dump every time someone asks, it's still considered compliant.

Of course that doesn't actually scale. That's why most all the big players are providing export features.

[sshine]

At my job we do it semi-automatic; i.e. there are automatic export tools, but emails are sent forth and back first.

This is because we've received only a handful of requests and because there isn't an automatic system for the extra layer of authentication comparable to answering an email with a token in it.

Come to think of it, this places an even bigger value on email: You can probably get all of someone's private data from external sites once you have their email. As if it wasn't a big enough part of stealing someone's identity already; now you can properly steal people's pasts!

[quotemstr]

That can't be the whole story though. In general, a regulation stipulating that a business provide a feature can't allow businesses to make it arbitrary difficult for a user to use that feature, since that would defeat the public policy behind the regulation.

I suspect that the line here will be decided in some court.

[Alex3917]

> I suspect that the line here will be decided in some court.

Sure. At the end of the day though people shouldn't be using GDPR as an excuse to avoid making stuff or launching their projects. As long as you make a reasonable effort to do what people are asking for via email then you're probably not going to be the test case.

[lamlam]

Yes, making things _arbitrarily_ difficult would probably go against the spirit of the law, even if it technically complied with it. But as Alex3917 pointed out, as long as a company responded to GDPR requests by email in a timeline in accordance with the law, they would be safe.

[SyneRyder]

Indeed, I noticed this in Google's GDPR terms and conditions I was required to agree to yesterday. Long story short, Google will charge you to delete your data, which I thought was against the spirit of the GDPR law:

"Google may charge a fee (based on Google’s reasonable costs) for any data deletion under Section 6.1.2(a). Google will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion."

[dangrossman]

The GDPR explicitly says you may charge a reasonable fee to cover your administrative costs.

[SyneRyder]

Oh! I totally missed that. Thank you for the correction.

Not meaning to be argumentative, but is there a reference for that beyond Article 12 Section 5? (I probably missed that too.) But that section seems to suggest you can only charge a fee (or even decline to act) if the requests are unfounded or repeatedly excessive:

https://gdpr-info.eu/art-12-gdpr/

"Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

refuse to act on the request.

(Google's clause was opting to charge for any deletion request that is not yet automated.)

[sebazzz]

Five euros I was told in the knowledge session at my work.

[quickthrower2]

Here's your export:

https://news.ycombinator.com/user?id=lamlam https://news.ycombinator.com/threads?id=lamlam https://news.ycombinator.com/submitted?id=lamlam https://news.ycombinator.com/favorites?id=lamlam

If I was a linux nerd I'd turn that into a cat / curl combo.

[astro_robot]

Can't that be a violation in the eyes of GDPR? If they don't give users a simple button, then can't that be argued to be not giving the user the ability to export data. The problem I have with GDPR is that there's so much open to interpretation.

[calciphus]

Articles 15 and 17 (dealing with deletion and access) both contain a provision where if the request is unfounded or excessive, you may charge a reasonable fee. You cannot charge a fee for compliance with standard requests, and "reasonable" is something that would likely be argued in court.

Source: https://ico.org.uk/for-organisations/guide-to-the-general-da...

Edit: mis-referenced article 15 as export instead of access.

[bkanber]

If you have an email address you can give users for privacy requests and a promised turnaround time (we will respond to all privacy messages in 7 days) you're OK.

[everdev]

They do provide an API and public data set, so the export could be self serve.