|
|
|
|
|
|
by okamiueru
1922 days ago
|
|
|
I see. Thanks for the clarification. What you describe makes sense, but the way it's implemented everywhere seems like a complete breach of GDPR. If I understand it correctly, "legitimate interest" would be the processing of data necessary to perform the service in question, of which extent must be properly informed? If I can turn the "legitimate interest" options off, and the service / product remains the same, then... isn't that a clear indication that the grounds for it being "legitimate" don't hold up? For example, I'd consider a service feedback functionality to be "legitimate interest". It's obvious that for it to work, there is a legitimate interest for processing the data transmitted. |
|
|
A company can also decline opt-out if they have an "Overriding Legitimate Interest." This is true regardless of whether the original legal basis was Legitimate Interest or Consent. However the company must restrict processing only to that particular overriding interest.
"Fraud Detection" is the canonical example of an (Overriding) Legitimate Interest. To my knowledge, that's the only example that's actually given in the text of GDPR itself. Telemetry is generally believed to be another example, and in that case it's probably not Overriding.
Processing necessary to provide a service is kind of weird. If the service is part of a contract, then you use Performance of Contract as your Legal Basis. But if the use of the service doesn't actually form a contract, then you can't use that Legal Basis and have to use either Consent or Legitimate Interest. There are arguments for and against either.