H&H violating GDPR?

General discussion and socializing.

Re: H&H violating GDPR?

Postby Robben_DuMarsch » Wed May 30, 2018 12:51 am

loftar wrote:
Robben_DuMarsch wrote:I think you're conflating the GDPR with visible notices like the cookie notices.

Not sure. I mean, at first glance, it would seem that saving any data at all whatsoever, even keeping a HTTP accesslog, requires explicit "consent" from the user concerned which would have to be clearly communicated.

Otherwise, would there really be anything Haven needs to do, at all?


See above notice on the general consensus as to what lawyers are telling companies they should do.
Whether or not the cost and effort of strict compliance is worth the remote possibility that the EU takes a look at your 2 man business and determines that not only are you out of compliance, but you're also deserving of anything more than a nominal, discretionary, fine.... well.... that seems like an obvious conclusion. But I'll admit I'm far from risk adverse.

Someone smart could come to the conclusion* that at least a token effort to comply would probably save you from the worst case scenario, as fines are levied based on a number of factors that include, among others, whether or not reasonable efforts were made... and reasonable efforts for a "boutique" gaming company that has revenues as low as this is probably preeminently reasonable.

*I am not coming to this conclusion or advising you to do this in any capacity as an Attorney.
User avatar
Robben_DuMarsch
 
Posts: 2313
Joined: Wed Sep 28, 2011 2:58 am

Re: H&H violating GDPR?

Postby Robben_DuMarsch » Wed May 30, 2018 12:58 am

loftar wrote:
Robben_DuMarsch wrote:I think you're conflating the GDPR with visible notices like the cookie notices.

Not sure. I mean, at first glance, it would seem that saving any data at all whatsoever, even keeping a HTTP accesslog, requires explicit "consent" from the user concerned which would have to be clearly communicated and explicitly accepted.


There are certainly people that agree with this interpretation, but as you've correctly noticed that doesn't seem to be how *companies* are interpreting this. Nor am I prepared, or maybe even capable, of giving a good answer as to why not. It looks like most companies are going with the personal details they gather after the "Check here if you accept our terms of use/privacy policy" thing.
That's also why you got so many emails informing you about the updates to what you agreed to when you hit that check-box from websites leading up to the 25th.
Last edited by Robben_DuMarsch on Wed May 30, 2018 1:04 am, edited 1 time in total.
User avatar
Robben_DuMarsch
 
Posts: 2313
Joined: Wed Sep 28, 2011 2:58 am

Re: H&H violating GDPR?

Postby loftar » Wed May 30, 2018 1:02 am

Robben_DuMarsch wrote:There are certainly people that agree with this interpretation. That's what the "Check here if you accept our terms of use/privacy policy" thing was for.

The thing is, I guess, that I get the impression that it's generally okay (seems to fall under the category of "legitimate interest", which is supposedly a good thing, or something) to keep data only for the technical requirements of running the service in question and resolving security issues, and that what is required to get consent for is any sort of analytics, tracking, data-mining, marketing, &c&c. Since we indeed strictly only do the former and none of the latter, that leaves me unsure whether we actually need to do anything.

I do know there is a similar dichotomy to cookie notices, in that cookies strictly kept for technical aspects such as keeping people logged in, as opposed to analytics cookies, explicitly require no notice, which is why we haven't needed any such either; and it seems to me that it would be congruent for the GDPR to work similarly. Not that I don't know that consistency and congruity is a lot to ask for.
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 9051
Joined: Fri Apr 03, 2009 7:05 am

Re: H&H violating GDPR?

Postby Granger » Wed May 30, 2018 1:17 am

The basic idea is that you have to create a list of where the data you process comes from, what you do with it and your strategy on how you get rid of the data of the people you want theirs deleted - or hand it over in case a user asks for a dump.

For webserver logs you have the simple reason that you want to look at them (for a reasonable timeframe) to check for errors and give criminals trying to get into your systems the medicine they deserve - after that you nuke the logs. In case you want to persist them for longer for whatever reason: wipe the last digit of the IP (and similar for IPv6) to anonymize them irreversible and you can happily store them eternaly.

For the forum you have a reason to store the IP as long as the post is online, the email connected to the account as long as it exists. In case you want to terminate accounts you simply wipe the mail from the account. In case you want to perma-ban you have a valid reason to store the mail address eternaly. In case a user asks for all the data associated to his account you can post links to 'view your posts' and the PM interface.

Don't forget the data that is accumulated at your payment provider.

To the one whos data you process you have to describe what you're doing in simple words, giving the specific reaons why you proces the data. So just put what you do in the privacy policy and cite the §§ from the GDPR that allow you to do it - then an auditor could look at it, see that you did your thinking on how to protect the data and move on to greener grounds.
⁎ Mon Mar 22, 2010 ✝ Thu Jan 23, 2020
User avatar
Granger
 
Posts: 9254
Joined: Mon Mar 22, 2010 2:00 pm

Re: H&H violating GDPR?

Postby Robben_DuMarsch » Wed May 30, 2018 1:30 am

loftar wrote:
Robben_DuMarsch wrote:There are certainly people that agree with this interpretation. That's what the "Check here if you accept our terms of use/privacy policy" thing was for.

The thing is, I guess, that I get the impression that it's generally okay (seems to fall under the category of "legitimate interest", which is supposedly a good thing, or something) to keep data only for the technical requirements of running the service in question and resolving security issues, and that what is required to get consent for is any sort of analytics, tracking, data-mining, marketing, &c&c. Since we indeed strictly only do the former and none of the latter, that leaves me unsure whether we actually need to do anything.

I do know there is a similar dichotomy to cookie notices, in that cookies strictly kept for technical aspects such as keeping people logged in, as opposed to analytics cookies, explicitly require no notice, which is why we haven't needed any such either; and it seems to me that it would be congruent for the GDPR to work similarly. Not that I don't know that consistency and congruity is a lot to ask for.


Well, you've piqued my curiosity enough that I decided to look into what role consent played, and why corporations aren't requiring it. So instead of just giving you grapevine, lets get to the source.
Yes, it's not *necessary* to get consent in advance under certain circumstances, because consent isn't required. It's just one of the various justifications that permit you to "process" data. Any of them will do, but at least one has to apply.

Processing shall be lawful only if and to the extent that at least one of the following applies:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


Effectively, you can process data through consent or via one of the other enumerated reasons.
You seem to have drawn a reasonable conclusion. The way that you process data may reasonably be determined to be a "legitimate interest" that does not require consent.
Consent is a nice shield from regulatory oversight though, for those companies that don't want to be quibbling over whether their data use serves a "legitimate interest."
However, this is just Article 6 of the GDPR, and it relates to the circumstances you can permissibly process data.

There are other obligations, such as those pursuant to Article 13, which require you to undertake the other things we've discussed.
Being permitted to process data as a "legitimate interest" does not excuse you from the other disclosure/right to deletion requirements of the GDPR, it just renders you able to legally handle that data in the first place.
Now that you've got it, you've got to inform users appropriately, handle it appropriately, etc.

See Article 13(1)(d), which informs you that as a party who is seeking to process data pursuant to a "legitimate interest," you are actually required to inform your data subjects of what that legitimate interest is.
None of this is in my capacity as an attorney, mind you. But hey, what Granger suggested seems extremely reasonable.
User avatar
Robben_DuMarsch
 
Posts: 2313
Joined: Wed Sep 28, 2011 2:58 am

Re: H&H violating GDPR?

Postby Sollar » Wed May 30, 2018 9:01 am

Ah sweet GDPR - I just had a 40min training done at my job regarding GDPR so I am of course an expert myself, and the expertise in me states that GDPR is a fukken pain in the ass. Still, just add a disclaimer on the registration page where you state exactely what data are you storing in for what purposes, then let the owner of the account check for approval. Also do provide a "delete account/forget me" and you should be covered.
User avatar
Sollar
 
Posts: 561
Joined: Wed May 26, 2010 2:53 pm

Re: H&H violating GDPR?

Postby Granger » Wed May 30, 2018 9:43 am

Robben_DuMarsch wrote:But hey, what Granger suggested seems extremely reasonable.

Thanks for the flowers. Now for the unreasonable but 'fun' stuff:

Anyone a good idea for how to address ingame parchments (which could contain personal identifying data) written by a user in case he wants to be 'forgotten' / demands a data dump?
⁎ Mon Mar 22, 2010 ✝ Thu Jan 23, 2020
User avatar
Granger
 
Posts: 9254
Joined: Mon Mar 22, 2010 2:00 pm

Re: H&H violating GDPR?

Postby Saxony4 » Wed May 30, 2018 10:00 am

ArvinJA wrote:No emails about updates to the privacy policy has me concerned, I'm literally shaking. Haven't been able to eat or sleep, is my right to privacy being violated???

In this modern day and age there is no such thing as 'privacy'.
loftar wrote:git da mony
User avatar
Saxony4
 
Posts: 1800
Joined: Mon Mar 12, 2012 2:38 am
Location: Saxonia

Re: H&H violating GDPR?

Postby loftar » Thu May 31, 2018 3:40 am

Thanks a lot for the insightful replies, both of you! I think I'm somewhat wiser as to the intention of the GDPR now thanks to that and in combination with examining what some other sites do, so will consider what I can/should/will do about it.

Granger wrote:Anyone a good idea for how to address ingame parchments (which could contain personal identifying data) written by a user in case he wants to be 'forgotten' / demands a data dump?

Seems comparable to eg. an e-mail service that may or may not hold e-mails containing someone's personal data. As long as they don't do automatic processing of personal data from the contents of those e-mails, I very much doubt they'd be held responsible for them.
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 9051
Joined: Fri Apr 03, 2009 7:05 am

Re: H&H violating GDPR?

Postby Granger » Thu May 31, 2018 7:57 am

loftar wrote:Thanks a lot for the insightful replies, both of you! I think I'm somewhat wiser as to the intention of the GDPR now thanks to that and in combination with examining what some other sites do, so will consider what I can/should/will do about it.

Granger wrote:Anyone a good idea for how to address ingame parchments (which could contain personal identifying data) written by a user in case he wants to be 'forgotten' / demands a data dump?

Seems comparable to eg. an e-mail service that may or may not hold e-mails containing someone's personal data. As long as they don't do automatic processing of personal data from the contents of those e-mails, I very much doubt they'd be held responsible for them.

You forgot about 'storage of data' being defined as 'processing' it.
⁎ Mon Mar 22, 2010 ✝ Thu Jan 23, 2020
User avatar
Granger
 
Posts: 9254
Joined: Mon Mar 22, 2010 2:00 pm

PreviousNext

Return to The Inn of Brodgar

Who is online

Users browsing this forum: Claude [Bot] and 38 guests