Hacker News new | ask | show | jobs
by Isinlor 2952 days ago
GDPR doesn't require consent for data processing.

Seems like they claim that they base the data processing on:

1. contract about delivering services between you and them

2. profiling is based on a legitimate interest of their administration

3. sending data to third parties based on consent

The way they write it I would call "Polish legalese", so I'm quite confident it was written very carefully by a lawyer and they know it is sketchy.

BTW I really recommend reading "Guidelines on Consent under [GDPR]" by Article 29 Working Pary, an EU body established by the previous directive. It's written in simple language with examples of what is valid consent. And how regulators think about it.

http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_...
1 comments
lol-lol 2948 days ago
I am sorry but you are wrong.

Legitimate interest is so wrongly understood. You can only use it if your business is not able to function without some PI and for nothing else. For example if you are having an online store, it is perfectly ok to require name and address as you cant deliver goods to the customer without it. The phone number is already fishy (if you already have another mean to communicate). Using 3rd party by default that is doing monitoring/tracking is a no go, you cant put it under the legitimate interest. And you cant force user to give you a consent by denying access as this is violating that it has to be given free. You will get a consent this way but it will be invalidated in case someone complains to ICO and then you have troubles. And I have talked to our ICO in person. And Google already got a complain. So did facebook and instagram and whatsapp.

I think that persons that were saying that analytics is ok didnt read THIS: "Article 29 Working Party, Opinion 6/2014 on the notion of legitimate interest of the data controller under Article 7" page 25. (http://ec.europa.eu/justice/article-29/documentation/opinion...): "However this does not mean that controllers would be able to rely on article 7(f) to unduly monitor..."

You can thank me later ;)

link
Isinlor 2945 days ago
The fact is that GDPR defines 6 bases for data processing, therefore consent is not always required. But I think you just missed a part where I wrote: "they claim" ;).

And I agree with you. Something quite simple like consent is very misunderstood. Something so vague as legitimate interest is bound to be misunderstood.

I was actually looking for some analysis of "legitimate interest" because I have no idea how to apply it in practice, but I couldn't find anything. So yeah, thanks for the link :).

link