[jinglebells]

The GDPR isn't a bunch of rules, it's a process. It's no different to your health and safety process. You define your process, what data you have and where it is and any risks.

Personally, with massive PII dumps getting leaked every week I'm not surprised governments are starting to act.

> but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

[jen20]

Quite: far too many people equate the "consent" basis for holding data as the _only_ basis for holding data. It is not, and and compliance with other laws is also a valid reason which _cannot be overridden by withdrawal of consent_.

[PeterisP]

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

If you have a legitimate basis to collect and store personal data for some purpose X, then that doesn't allow you to use the data you collected and stored for anything else - if you want to use the same data for some other purpose (like targeting ads or given them to your "partners" to target ads), then you need consent; and if you give them to your "partners" to allegedly execute that legal need X but it turns out that they're using it to target ads or reselling data, then you're liable for that.

[Silhouette]

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

That's debatable. The GDPR itself explicitly notes [Recital 47] that even direct marketing can constitute a legitimate interest.

However, there are specific provisions for that case, particularly the explicit provision [Article 21, para 3] that if the data subject objects to processing for direct marketing purposes then that is black and white and that processing must be stopped.

[PeterisP]

Yes you do [have to state that in your privacy policy].

Compliance with a legal obligation is valid grounds to store and process data, but the information requirement still applies - you need to inform the customer what you're collecting and why, you just don't need their consent in this case.

E.g. the GDPR article 13.1.d / 14.2.b - you need to inform the data subject about what exactly is your legitimate need that justifies the processing of data; and customers then can judge whether that need (and the collected data for it) seems reasonable or warrants a complaint to the regulator.

[Silhouette]

The GDPR isn't a bunch of rules, it's a process.

The GDPR is an EU regulation. An EU regulation is a bunch of rules that have direct legal effect across the Union.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

That's a legal basis for processing, which you also have to disclose. It doesn't exempt you from disclosing other required information such as the types of personal data you're collecting or your policy on retention.