zlacker

[parent] [thread] 6 comments
1. lrpubl+(OP)[view] [source] 2020-04-21 18:52:20
I don’t think recital 47 allows carte blanche data collection in the name of fraud detection, and at the very least I would think there is an obligation for disclosure of the data collection, a mechanism to access it (DSAR) and the ability to correct inaccuracies.
replies(1): >>lmkg+A5
2. lmkg+A5[view] [source] 2020-04-21 19:25:57
>>lrpubl+(OP)
You're correct about all of these points. GDPR still means that the principles of transparency, purpose limitation, data minimization, etc. are in play, as are data subject rights like access, rectification, and erasure. I was only addressing the specific issue of consent from your previous comment. Consent wouldn't be necessary if there's a different legal basis, and fraud detection qualifies as a Legitimate Interest.

Note that collecting consent still doesn't give you carte blanche to collect all the datas. The principle of data minimization still restricts you to only the data you need for the purpose you state when gathering consent.

replies(1): >>lrpubl+G8
◧◩
3. lrpubl+G8[view] [source] [discussion] 2020-04-21 19:47:32
>>lmkg+A5
For the avoidance of doubt, the main point of my comment was the not insignificant risk (a maximum fine of 20 million euro or 4% of turnover if that is greater) if a data controller does not meet the obligations of the GDPR.

Consent, as you point out, is only one aspect of this.

replies(1): >>Nextgr+2N
◧◩◪
4. Nextgr+2N[view] [source] [discussion] 2020-04-22 01:35:59
>>lrpubl+G8
> was the not insignificant risk (a maximum fine of 20 million euro or 4% of turnover if that is greater)

Facebook and Google are still around. There is absolutely zero risk of any significant GDPR fine as long as the biggest offenders are allowed to run freely.

replies(2): >>lrpubl+NZ >>hanspe+g91
◧◩◪◨
5. lrpubl+NZ[view] [source] [discussion] 2020-04-22 03:53:01
>>Nextgr+2N
Facebook and Google have very deep pockets and are taking lots of steps to comply with the letter, but arguably not the full spirit of GDPR.

I think it would be unsafe to assume that there is zero risk of significant GDPR fines on the basis that the regulatory bodies have not picked a battle with google and Facebook.

Smaller organisations that seem to be doing less to respect GDPR are probably an easier starting point for regulators to begin enforcing the law.

◧◩◪◨
6. hanspe+g91[view] [source] [discussion] 2020-04-22 05:27:53
>>Nextgr+2N
There's absolutely more than zero risk. In Denmark a medium sized taxi company was fined $200,000 for keeping their customer data longer than necessary.

Also: How are Google and Facebook offenders of GDPR?

replies(1): >>lrpubl+Pi1
◧◩◪◨⬒
7. lrpubl+Pi1[view] [source] [discussion] 2020-04-22 07:29:15
>>hanspe+g91
I think this is exactly the point. Smaller companies (like stripe), that play fast and loose (maybe not stripe) with European customers’ data are a good target for regulators to make a point.
[go to top]