top | item 16518440

(no title)

mziel | 8 years ago

You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.

discuss

TomMarius|8 years ago

Defend it? What happened with "innocent until proven guilty"?

cyphar|8 years ago

This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.

zaarn|8 years ago

The GDPR does somewhat turn handling private data into "guilty until proven innocent".

Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.

xxs|8 years ago

This isn't a criminal case.

s73v3r_|8 years ago

The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.