It concerns me that the site providing information about privacy policies, data subject rights, and privacy laws has a privacy policy that doesn’t even comply with the law. The policy states that they collect “non-identifiable information... which is collected passively using various technologies.” But that’s an incorrect statement of law. Information collected passively generally includes IP addresses, which falls within the definition of personally identifiable information under the GDPR and certain US privacy laws. Also missing a lot of other stuff...
> Information collected passively generally includes IP addresses, which falls within the definition of personally identifiable information under the GDPR and certain US privacy laws.
Your argument is at least formally wrong, the GDPR does not contain any such concept as personally identifiable information. It covers personal data.
An IP address can be personal data under some circumstances.
IANAL, but I would be more than surprised if the interpretation of personally identifiable information and personal data ends up to be identical in legal practice. I'd assume that even lawyers are not sure yet, because there isn't any practice yet.
I was initially expecting to enter my email for it to make requests, but it instead gives info on how I can request for information from sites individually. A bit more effort but makes me feel a bit safer as a result.
I see that there's a way to suggest it to "request for me" as well, so that covers all bases!
While it is great, there are many instances where you can't make a data request without making an account first including facebook and google services (Alphabet is not on the list btw) which quickly brings up the question, especially if you are European, how to report GDPR violations[1]?
I have actually written to facebook (without having an account) and requested my personal data, worked fine. I believe the adress I used was [email protected]. They replied that they do not have any data on me. They requested a copy of my ID though, if I remember correctly.
I love the idea here, but I submitted some feedback before: Specifically, I think they should provide a clear notation of which have automated export tools and which do not, and a news feed for when the methods of data access become available. The site would be much more useful if I could quickly use it to locate export tools.
I really like the idea, but a part of your program should check the links for contact forms to ensure they remain up-to-date. The one for IKEA didn't work for me.
[1] "So Your Startup Received the Nightmare GDPR Letter " which contains
[2] "Is there amy regulation about how the data has to be formatted? Say I send a json string like "this is LITERALLY the data we use", but the avergae Joe is left irritated and annoyed, am I in trouble?"
---
From the ICO: (the UK regulator)
How should we provide the data to individuals?
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.
However, providing remote access should not adversely affect the rights and freedoms of others – including trade secrets or intellectual property.
[+] [-] dangold|7 years ago|reply
[+] [-] usr1106|7 years ago|reply
Your argument is at least formally wrong, the GDPR does not contain any such concept as personally identifiable information. It covers personal data.
An IP address can be personal data under some circumstances.
IANAL, but I would be more than surprised if the interpretation of personally identifiable information and personal data ends up to be identical in legal practice. I'd assume that even lawyers are not sure yet, because there isn't any practice yet.
[+] [-] eps|7 years ago|reply
[+] [-] toxicFork|7 years ago|reply
I see that there's a way to suggest it to "request for me" as well, so that covers all bases!
[+] [-] a_imho|7 years ago|reply
[1]https://news.ycombinator.com/item?id=17318773
[+] [-] Gasp0de|7 years ago|reply
[+] [-] ocdtrekkie|7 years ago|reply
[+] [-] BillinghamJ|7 years ago|reply
[+] [-] curiousgal|7 years ago|reply
[+] [-] jacquesm|7 years ago|reply
If not why would you send them on a wild goose chase?
[+] [-] davisr|7 years ago|reply
[+] [-] jaxn|7 years ago|reply
[+] [-] toxicFork|7 years ago|reply
[1] "So Your Startup Received the Nightmare GDPR Letter " which contains
[2] "Is there amy regulation about how the data has to be formatted? Say I send a json string like "this is LITERALLY the data we use", but the avergae Joe is left irritated and annoyed, am I in trouble?"
---
From the ICO: (the UK regulator)
How should we provide the data to individuals?
If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.
However, providing remote access should not adversely affect the rights and freedoms of others – including trade secrets or intellectual property.
Ref: https://ico.org.uk/for-organisations/guide-to-the-general-da...
---
[1] https://news.ycombinator.com/item?id=17177817
[2] https://news.ycombinator.com/item?id=17178125
[+] [-] ericintheloft2|7 years ago|reply
[+] [-] azinman2|7 years ago|reply