|
|
|
|
Ask HN: GDPR for solo founder
|
|
5 points
by video-host
2963 days ago
|
|
|
I run a small SaaS from outside the EU but with few clients there. I collect names and some physical addresses. It’s nearly impossible to know what I should do for GDPR: * is a message about using cookies enough?
* do I need a privacy policy
* ...
|
|
|
My understanding, based on my reading and your comment, is as follows:
* You are retaining personal information - this requires consent.
* If you do something with the information you have, it requires consent.
* If you don't do anything with the information, and you are not legally obliged to retain it, you should delete it.
* When an individual asks, you must be able to tell them everything you hold on them, and where you got consent.
* When an individual asks you to delete their data, you must be able to do it within a short time-span (unless legally obliged to retain it).
* Consent can be implicit - for example if someone signs up for a service.
* You absolutely need a statement saying what information you hold, and what you do with it.
* If you can't say when, where, and how someone gave consent, you should seek to obtain explicit consent with an "opt-in" email.
Some of the above will probably be wrong, but I don't think anything is very wrong.
[0] https://gdpr-info.eu/