Yes, people make mistakes. And by deciding to create a business around other people's personal information some mistakes are bad enough to merit a fine.
All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.
The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.
>deciding to create a business around other people's personal information
>profit off people's personal data
Have you "decided to create a business around destroying the environment" and "profit off CO2 emissions" because your office is heated in the winter? GDPR is not specific to the adtech or data brokerage industries.
Yes, climate change effects would probably be a more accurate analogy -- but many people are very much against carbon tax schemes so it felt best to avoid that comparison.
GDPR doesn't prevent you from collecting personal data. It only requires you to have a clear reason for collecting everything and being transparent about what data is collected and how it is processed.
The examples here make clear that "a clear reason for collecting everything" means an ironclad justification for each field, each bit of precision, each minute of retention. That is not a casual thing. As in, one of the fines here is for retaining a phone number to fulfill a need to communicate, when postal mail could have worked instead.
It is doable, if you have the lawyers and the time. But that's not a degree of scrutiny you want to gamble your life savings on for a personal project.
"Don't need" as in "there are feasible alternatives."
HN doesn't need to know or share your username to post your comment, it is clearly possible to run a message board without usernames, and conversations could be maintained by generating a random pseudonym for each thread.
Also, the fine (if we are talking about the Danish one) was not for collecting a phone number. It was for retaining it after the retention limit (in this case 2 years, and they kept them for 5 years) without a good cause. The company argued they were and essential part of the database. People love to make GDPR look bad, but it's often not as bad as it looks from a one line summary.
Well, suppose he does some transformation involving position. GPS points also have altitude in them. He neglects to sanitize altitude at the point of collection, and is therefore collecting and retaining more data than necessary to perform the service. He plots positions on a relatively zoomed-out map. Only the first six significant figures make a perceptible difference in the map position, but he retains the same precision that was uploaded, usually higher. Again, failure to minimize. Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.
Now he has "decided to build a business around profiting from the abuse of personal data" and the consensus in this thread looks on his destruction with glee.
> Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.
This is typical FUD. GDPR allows backups. Right to be deleted doesn't mean grovelling through backups. If those snapshots are rotated out after e.g. 3 months he is fine.
And regarding sanitizing altitude. Again pure FUD. There is no way that that would be a problem.
Of course if he stores the data in a personally identifying way and then is either incompetent or abusive then he could attract a fine...
In the real world GDPR enables such websites because users can trust that he has to follow some minimum standards.
The great thing about TFA is we can stop speculating and see what the regulators are actually doing.
>After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency.
So maybe if his backup regime were precisely specified in his privacy policy. But even a conflicting legal requirement is no defense, here.
Regarding minimization, 4 other cases:
>During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller.
>Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
> The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller.
> The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance
"Of course if he stores the data in a personally identifying way..." GDPR cares not for identifying but for identifiable. It's GPS data. If someone uploads data pertaining to their home, workplace, frequent travel routes, etc. then it is definitely identifiable.
Regarding FUD, it seems FUD is exactly what the DPAs intend, since they are punishing rather than helping when asked for advice!
>Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider.
The Data Protection Authority of Hessen suggested Kolibri Image to draft their own data processing agreement and get Packlink, located in Madrid, to sign it. [1]
Kolibri Image then stated that they would "leave things as they are", which was incorrectly interpreted to mean that they'd use Packlink without an agreement instead of not using Packlink in the future.
In addition, Kolibri Image forgot to update one of their six data processing agreements on various websites which still mentioned Packlink, so their clarification of the matter was not believed.
Finally, the case was dropped because it (partially?) happened before the 24th of Mai.
[1] Drafting a data processing agreement for Packlink is of course not very practical because who knows how they handles their data and why would Packlink sign it in the first place if they don't want to offer a data processing agreement. In addition, the cost of drafting and translating the agreement is much more expensive than the savings from using Packlink as a shipping processor.
In any case, I agree that fining after asking for advice is not a friendly move.
You receive an email with a request for a privacy statement? Great, one way or the other, that's work with potential legal repercussion, which means you probably should talk to a lawyer. Additional expenses and hassle for no good reason.
You make a fix in the email system that accidentally emails everybody at the same time? (It almost happened.) Oops. There's your exposure to some nice fine.
You don't need to be abusing somebody's privacy to be concerned about legal exposure. Just like there are asshole companies, there are asshole users as well who can make your life miserable.
Any hobbyist who doesn't take this kind of exposure into consideration is naive.
I'm sorry but every website collecting personal data should set out clearly and simply what it is used for and how it can be distributed. For asmall hobbyist site you don't need a lawyer, there are plenty of decent templates out there.
All sorts of civil offences and crimes can be mistakes. While "it was an accident" might lower the penalty it doesn't negate the fact the mistake was made and people might have been hurt.
The idea that we should hold companies that profit off people's personal data blameless if they manage to "make a slip-up" with it is absurd. The only other industry where we accept those kinds of mistakes is Wall Street and we all know how well that policy has gone.