No, that's not correct. The GDPR is a surprisingly sensible set of rules, e.g. it allows collection and storage of data under certain circumstances. The salient point here is probably that it is allowed to collect and store all data required to fullfil a contractual obligation, e.g your home address, or if you are shopping at a pharmacy your prescriptions. The important part is not what type of data* is collected, but that the collector is restricted to use that is required to fullfil the obligations. If you want to use it for something different (say direct marketing) you have to ask for permission.
This extends to many areas, including e-mail, if they are required to deliver your services you may just save them. However, you may not use the e-mail to send newsletters. Of course, you want to double opt-in e-mails in any case unless you don't mind false or malicious entries and being labeled as a spammer. But that has nothing to do with the GDPR.
* the type of data is of importance when we are talking about data breaches and fines. Losing e-mail addresses is bad, losing prescriptions is much worse.
No. Consent is only needed for data you collect which is unnecessary to provide the service you are offering and is unexpected by the user. If you require an email address for a mailing list or notifications, you do not need consent. If you have webserver logs containing IP addressees you use for debugging and abuse prevention, you do not need consent (though you probably want to not hang onto them for longer than necessary for those purposes). Same with names and addresses for billing and shipping, etc. If you collect data for analytics or targeted advertising, you need consent (which means rejecting that option needs to be the default and at least as easy as accepting in the dialog, something which many of these dialogues fail at. If it takes more clicks to close the dialog without 'accepting', that is not GDPR compliant in the view of most regulators).
Propelloni|2 years ago
This extends to many areas, including e-mail, if they are required to deliver your services you may just save them. However, you may not use the e-mail to send newsletters. Of course, you want to double opt-in e-mails in any case unless you don't mind false or malicious entries and being labeled as a spammer. But that has nothing to do with the GDPR.
* the type of data is of importance when we are talking about data breaches and fines. Losing e-mail addresses is bad, losing prescriptions is much worse.
rcxdude|2 years ago