[imhoguy]

It is enforced and viral in EU. Think of it like radioactive materials, any operation needs to be fully tracked.

While accessing any user personal details you need to have user consent to process their personal data. You can't simply buy the dataset and assume it has consent. When you buy data from data provider you need to make sure user gave consent to handle data by third-parties to that provider in accordance to GDPR. Users can revoke the consent, every party needs to be ready to handle that scenario. Any data export outside EU GDPR also needs consent. Moreover the dataset needs to be registered with local regulator.

[Silhouette]

While accessing any user personal details you need to have user consent to process their personal data.

Consent is only one of the lawful bases for processing data under the GDPR. In practice, it's the one almost everyone tries not to rely on unless they can't avoid it, because it comes with extra obligations that other bases might not.

[pas]

Could you list the others? Or at least provide some examples?

Basically all I know are based on either mandatory by law record keeping, or records used to fulfill whatever service/product/goods the user purchased, but even in these cases the processing must be described, right?

[Silhouette]

The GDPR itself is actually quite readable, so if you're interested in the details, you can got to the source. There's a neatly formatted version hosted here:

https://gdpr-info.eu/art-6-gdpr/

What the source material won't tell you, for better or worse, is how these are interpreted in reality by data controller, processors and regulators. The two main things to know in that respect are:

1. Relying on the subject's consent is usually the last resort. It comes with lots of extra strings attached.

2. The "legitimate interests" provision is open to interpretation. It is widely used as an excuse for processing that many of us might consider far from desirable. But it is also a risk for data processors doing things many of us might consider reasonable, because any regulator can take a different view and they get to win by default.