loftar wrote:Robben_DuMarsch wrote:There are certainly people that agree with this interpretation. That's what the "Check here if you accept our terms of use/privacy policy" thing was for.
The thing is, I guess, that I get the impression that it's generally okay (seems to fall under the category of "legitimate interest", which is supposedly a good thing, or something) to keep data only for the technical requirements of running the service in question and resolving security issues, and that what is required to get consent for is any sort of analytics, tracking, data-mining, marketing, &c&c. Since we indeed strictly only do the former and none of the latter, that leaves me unsure whether we actually need to do anything.
I do know there is a similar dichotomy to cookie notices, in that cookies strictly kept for technical aspects such as keeping people logged in, as opposed to analytics cookies, explicitly require no notice, which is why we haven't needed any such either; and it seems to me that it would be congruent for the GDPR to work similarly. Not that I don't know that consistency and congruity is a lot to ask for.
Well, you've piqued my curiosity enough that I decided to look into what role consent played, and why corporations aren't requiring it. So instead of just giving you grapevine, lets get to the source.
Yes, it's not *necessary* to get consent in advance under certain circumstances, because consent isn't required. It's just one of the various justifications that permit you to "process" data. Any of them will do, but at least one has to apply.
Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Effectively, you can process data through consent or via one of the other enumerated reasons.
You seem to have drawn a reasonable conclusion. The way that you process data may reasonably be determined to be a "legitimate interest" that does not require consent.
Consent is a nice shield from regulatory oversight though, for those companies that don't want to be quibbling over whether their data use serves a "legitimate interest."
However, this is just Article 6 of the GDPR, and it relates to the circumstances you can permissibly process data.
There are other obligations, such as those pursuant to
Article 13, which require you to undertake the other things we've discussed.
Being permitted to process data as a "legitimate interest" does not excuse you from the other disclosure/right to deletion requirements of the GDPR, it just renders you able to legally handle that data in the first place.
Now that you've got it, you've got to inform users appropriately, handle it appropriately, etc.
See Article 13(1)(d), which informs you that as a party who is seeking to process data pursuant to a "legitimate interest," you are actually required to inform your data subjects of what that legitimate interest is.
None of this is in my capacity as an attorney, mind you. But hey, what Granger suggested seems extremely reasonable.