Clarification on GDPR Compliance and Stuff

[AlTech]

Hi,

I've noticed that the forum got a privacy policy update sometime after GDPR came into effect.

 

However, from what I've read of the new privacy policy it makes no mention of a few major things.

 

These include:

• Data Portability
• Right To Access
• Breach Notifications

 

And the current implementation of the Right To Be Forgotten seems highly impractical and does not feel like the "Privacy By Design" philosophy mandated by GDPR.

 

Not only that but the Privacy Policy fails to mention that data processed about EU Citizens is regulated under the EU GDPR and EU laws.

 

@colonel_mortis Some clarifications and possible solutions to the above would be appreciated.

 

Thanks.

[Bananasplit_00]

hmmm maybe everyone from europe should report them.. ez EU monies  

 

/s

[AbsoluteFool]

4 hours ago, AluminiumTech said:

Hi,

I've noticed that the forum got a privacy policy update sometime after GDPR came into effect.

 

However, from what I've read of the new privacy policy it makes no mention of a few major things.

 

These include:

• Data Portability
• Right To Access
• Breach Notifications

 

And the current implementation of the Right To Be Forgotten seems highly impractical and does not feel like the "Privacy By Design" philosophy mandated by GDPR.

 

Not only that but the Privacy Policy fails to mention that data processed about EU Citizens is regulated under the EU GDPR and EU laws.

 

@colonel_mortis Some clarifications and possible solutions to the above would be appreciated.

 

Thanks.

They don't need to follow the General Data Protection Regulation. The GDPR is a matter of interest. If i as a citizen of EU demanded the GDPR to be in place i simply wouldn't use the service. But if they used GDPR all information about me must be in a EU country. Which is idiotic to even request from a community forum like this. Facebook is one thing, LTT is a completely different story on both information they collect and what it's used for.

 

The right to access is more for companies where you have an agreement for a service over time. Like your ISP that handles information in a different way and different form of information. In a forum there is no garante that the information you give is even correct. Comming forward as a shinning example here lol

[captain_to_fire]

4 hours ago, AluminiumTech said:

GDPR

Aka EU making the internet more annoying or else we’ll take 4% of your annual turnover thus hurting small businesses 

[AlTech]

1 hour ago, AbsoluteFool said:

They don't need to follow the General Data Protection Regulation.

For handling data about EU Citizen, yes they do.

1 hour ago, AbsoluteFool said:

The GDPR is a matter of interest.

No, it's a regulation that they need to follow and if they don't then LMG is liable and could be fined Up To 4% of annual global turnover or Up To 20 Million Euros.

1 hour ago, AbsoluteFool said:

If i as a citizen of EU demanded the GDPR to be in place i simply wouldn't use the service.

It's not something that is supposed to be demanded. They are legally required to be in compliance if they want to deal with European Citizens.

1 hour ago, AbsoluteFool said:

But if they used GDPR all information about me must be in a EU country.

Not necessarily.

1 hour ago, AbsoluteFool said:

The right to access is more for companies where you have an agreement for a service over time. Like your ISP that handles information in a different way and different form of information. In a forum there is no garante that the information you give is even correct. Comming forward as a shinning example here lol

It's still something that an EU Citizen is entitled to if a service they use collects user data.

[AlTech]

1 hour ago, captain_to_fire said:

Aka EU making the internet more annoying or else we’ll take 4% of your annual turnover thus hurting small businesses 

Actually it targets large business. It's not meant to seriously hurt small businesses. Hence why the percentage option comes first in the fine options.

[captain_to_fire]

21 minutes ago, AluminiumTech said:

It's not meant to seriously hurt small businesses.

Not quite.

https://www.marketplace.org/2018/05/17/tech/small-companies-doing-business-europe-may-not-be-worth-cost

https://medium.com/swlh/how-gdpr-affects-us-based-small-businesses-cc1ca37bfa12

 

The costs alone aren't worth it if you're a small startup. If I was running an online store, I'd have my site blocked in EU member states. 

[AlTech]

3 minutes ago, captain_to_fire said:

Not quite.

https://www.marketplace.org/2018/05/17/tech/small-companies-doing-business-europe-may-not-be-worth-cost

https://medium.com/swlh/how-gdpr-affects-us-based-small-businesses-cc1ca37bfa12

 

The costs alone aren't worth it if you're a small startup. If I was running an online store, I'd have my site blocked in EU member states. 

Not if you were located in Europe. And blocking a site from the EU because a site isn't compliant isn't what I'd consider a good excuse.

 

If a small startup wants to not get fined then the simple thing to do is update privacy policy and privacy practices and then everything's fine.

 

The GDPR doesn't ask that much of companies.

[AbsoluteFool]

39 minutes ago, AluminiumTech said:

For handling data about EU Citizen, yes they do.

No, it's a regulation that they need to follow and if they don't then LMG is liable and could be fined Up To 4% of annual global turnover or Up To 20 Million Euros.

It's not something that is supposed to be demanded. They are legally required to be in compliance if they want to deal with European Citizens.

Not necessarily.

It's still something that an EU Citizen is entitled to if a service they use collects user data.

You're not quite right here. The base of the GDPR is that people have the right to know what data is gathered and where the data about them is, what it's used for and so on. A small forums like LTT doesen't have to comply with GDPR as they are not really "targeting" any user market. Also they could simply stopped collecting information and they wouldn't need any privacy policy. as for forms, without anything special all servers have a log of IP addresses, that's how computers work. Unless you sit and track who's using what IP on the internet you don't need to be compliant with GDPR. So in the case LTT doesen't want to follow the GDPR they can simply oversee it. 1. Because they are not located in the EU as a business. 2. They are not really targeting EU customers. 3. They don't really sell anything and pårobably 90% of accounts in here doesen't contain personal information that can actually track a human being.

[AbsoluteFool]

If you are s,till in doubt i'd suggest you read the full document https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL

[AlTech]

Just now, AbsoluteFool said:

You're not quite right here. The base of the GDPR is that people have the right to know what data is gathered and where the data about them is, what it's used for and so on. A small forums like LTT doesen't have to comply with GDPR as they are not really "targeting" any user market.

They still do. And this thread isn't for debating the merits of GDPR. It's about complying with it fully so LMG doesn't have a huge lawsuit filed against them.

Just now, AbsoluteFool said:

Also they could simply stopped collecting information and they wouldn't need any privacy policy. as for forms, without anything special all servers have a log of IP addresses, that's how computers work. Unless you sit and track who's using what IP on the internet you don't need to be compliant with GDPR. So in the case LTT doesen't want to follow the GDPR they can simply oversee it. 1. Because they are not located in the EU as a business. 2. They are not really targeting EU customers. 3. They don't really sell anything and pårobably 90% of accounts in here doesen't contain personal information that can actually track a human being.

I don't think you understand the changes of GDPR. It doesn't matter who they target or don't. It's who uses the product. They could be located in Antarctica but if somebody from Spain or any EU country uses their website they need to comply with GDPR or face not insignificant fines.

[AbsoluteFool]

Just now, AluminiumTech said:

They still do. And this thread isn't for debating the merits of GDPR. It's about complying with it fully so LMG doesn't have a huge lawsuit filed against them.

I don't think you understand the changes of GDPR. It doesn't matter who they target or don't. It's who uses the product. They could be located in Antarctica but if somebody from Spain or any EU country uses their website they need to comply with GDPR or face not insignificant fines.

LTT doesen't need to comply with the GDPR so they will not be subject to a lawsuit. What you are saying is that if a site that target people in china get a EU customer they must rewrite their privacy. Which is completely wrong. All EU companies are requred to u comply with the GDPR. A business like LTT does not because they don't target customers in a country. You forget that people have the right to choose self what sites they sign up to. If the site doesen't comply with GDPR it doesen't mean that i can drag them to court. It simply means their privacy statements are different.

[AbsoluteFool]

3 minutes ago, AluminiumTech said:

They still do. And this thread isn't for debating the merits of GDPR. It's about complying with it fully so LMG doesn't have a huge lawsuit filed against them.

I don't think you understand the changes of GDPR. It doesn't matter who they target or don't. It's who uses the product. They could be located in Antarctica but if somebody from Spain or any EU country uses their website they need to comply with GDPR or face not insignificant fines.

A company like Google or facebook that is international companies (Registered international companies) MUST comply with the GDPR. Is LTT such company? There is your answer.

[AlTech]

Just now, AbsoluteFool said:

What you are saying is that if a site that target people in china get a EU customer they must rewrite their privacy.

Well yes basically.

Just now, AbsoluteFool said:

 All EU companies are requred to u comply with the GDPR.

And companies with EU citizens as customers.

Just now, AbsoluteFool said:

A business like LTT does not because they don't target customers in a country.

They don't need to target anybody.

Just now, AbsoluteFool said:

You forget that people have the right to choose self what sites they sign up to.

That's irrelevant.

Just now, AbsoluteFool said:

If the site doesen't comply with GDPR it doesen't mean that i can drag them to court.

It does.

 

At this point I'm just gonna wait for Mortis to read the thread, clean it and propose solutions to fixing the GDPR compliance.

 

If you don't believe LMG need GDPR compliance then maybe ask Mortis why he attempted GDPR compliance in the first place.

[AbsoluteFool]

1 minute ago, AluminiumTech said:

Well yes basically.

And companies with EU citizens as customers.

They don't need to target anybody.

That's irrelevant.

It does.

 

At this point I'm just gonna wait for Mortis to read the thread, clean it and propose solutions to fixing the GDPR compliance.

 

If you don't believe LMG need GDPR compliance then maybe ask Mortis why he attempted GDPR compliance in the first place.

Why Mortis attempted GDPR doesen't mean they must use it. Unless the company is registered as international it's actually something they can choose to use. because it makes it more attractive for users. There is many things in the GDPR that isn't very clear.

 

As for Asking Mortis i don't need to. Because i'm self required to comply with the GDPR as i have a company in Norway that follows EU laws.

[colonel_mortis]

Regardless of the legal liability, LMG broadly supports the goals of the GDPR, giving users more control over their personal data and keeping them informed about how their data is being used.

 

The privacy policy is a document that specifies how users' data will be processed and by whom. It doesn't contain a full listing of each right and how to enact it.

17 hours ago, AluminiumTech said:

These include:

• Data Portability
• Right To Access

Although not expressly specified in the privacy policy, these rights can be enacted by contacting a member of staff.

17 hours ago, AluminiumTech said:

• Breach Notifications

Although not expressly specified in the privacy policy, we will, as we have done in the past, notify all potentially affected users by email in the event that their

17 hours ago, AluminiumTech said:

And the current implementation of the Right To Be Forgotten seems highly impractical and does not feel like the "Privacy By Design" philosophy mandated by GDPR.

The current implementation of Right to Erasure is compliant with the GDPR [1]. Privacy by design is a guideline, not a legal requirement, and it would be impractical to reverse engineer privacy by design into software that was designed many years before the regulation was conceived.

17 hours ago, AluminiumTech said:

Not only that but the Privacy Policy fails to mention that data processed about EU Citizens is regulated under the EU GDPR and EU laws.

EU citizens' data is processed in Canada, in accordance with Canadian data protection regulations, though all users are also given the rights that are required by the GDPR. The GDPR does not require that the data of EU citizens is processed otherwise in accordance with the laws of the EU or its member states, and thus it would be false to say that your data is processed under EU law.

[AlTech]

5 hours ago, colonel_mortis said:

Regardless of the legal liability, LMG broadly supports the goals of the GDPR, giving users more control over their personal data and keeping them informed about how their data is being used.

 

The privacy policy is a document that specifies how users' data will be processed and by whom. It doesn't contain a full listing of each right and how to enact it.

Although not expressly specified in the privacy policy, these rights can be enacted by contacting a member of staff.

Could this be added to the privacy policy to explain that?

 

5 hours ago, colonel_mortis said:

Although not expressly specified in the privacy policy, we will, as we have done in the past, notify all potentially affected users by email in the event that their

Same here.

5 hours ago, colonel_mortis said:

Privacy by design is a guideline, not a legal requirement, and it would be impractical to reverse engineer privacy by design into software that was designed many years before the regulation was conceived.

 

Quote

Privacy by Design
Privacy by design as a concept has existed for years, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, ‘The controller shall… implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

 

5 hours ago, colonel_mortis said:

EU citizens' data is processed in Canada, in accordance with Canadian data protection regulations, though all users are also given the rights that are required by the GDPR. The GDPR does not require that the data of EU citizens is processed otherwise in accordance with the laws of the EU or its member states, and thus it would be false to say that your data is processed under EU law.

 

Quote

Increased Territorial Scope (extraterritorial applicability)
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’. This topic has arisen in a number of high profile court cases. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.

 

[LogicalDrm]

7 hours ago, VegetableStu said:

are we going to the point where the Forum will have an alternate universe for EU users ._.

I also find it funny that only person to complain is from UK, country soon to be kicked out of EU.

[colonel_mortis]

On 11/25/2018 at 6:47 PM, AluminiumTech said:

 

Quote

Privacy by Design
Privacy by design as a concept has existed for years, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, ‘The controller shall… implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

 

The full legal text for that section is [1]

Quote

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Based on that text, there is nothing more that we need to do in that respect.

On 11/25/2018 at 6:47 PM, AluminiumTech said:

 

Quote

Increased Territorial Scope (extraterritorial applicability)
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’. This topic has arisen in a number of high profile court cases. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.

 

Data processing of European citizens is covered by the General Data Protection Regulation, but other European regulations, and laws in the respective states do not apply. Your use of the site is governed by Canadian Law ∪ GDPR, not by European Law or English Law (or the law of any other member states). That doesn't mean that you are allowed to break your local laws, just that the restrictions that they would place on Linus Media Group don't apply.

For example, in English Law, libel has a very broad definition, and Linus Media Group would be considered to be libellous by not taking down a link that somebody else posted to a website by a third person that is libellous; in Canadian Law that is not the case, and Canadian Law is the only one that applies to us in that case. If the user was in England/Wales, they would still be accountable under English Law though.

[horninc]

On 11/25/2018 at 2:35 PM, colonel_mortis said:

Regardless of the legal liability, LMG broadly supports the goals of the GDPR, giving users more control over their personal data and keeping them informed about how their data is being used.

 

The privacy policy is a document that specifies how users' data will be processed and by whom. It doesn't contain a full listing of each right and how to enact it.

Although not expressly specified in the privacy policy, these rights can be enacted by contacting a member of staff.

Although not expressly specified in the privacy policy, we will, as we have done in the past, notify all potentially affected users by email in the event that their

The current implementation of Right to Erasure is compliant with the GDPR [1]. Privacy by design is a guideline, not a legal requirement, and it would be impractical to reverse engineer privacy by design into software that was designed many years before the regulation was conceived.

EU citizens' data is processed in Canada, in accordance with Canadian data protection regulations, though all users are also given the rights that are required by the GDPR. The GDPR does not require that the data of EU citizens is processed otherwise in accordance with the laws of the EU or its member states, and thus it would be false to say that your data is processed under EU law.

A data protection officer here. There is a Commission Adequacy Decision regarding Canada's compliance with GDPR which refers to "the Canadian Personal Information Protection and Electronic Documents Act". The implication is that Canadian data protection laws and regulations offer "equal protection" to individual rights of the data subject (in terms of balancing between individual interest and public interest).

 

This, however, fully applies only to data transfers, and does not rule out the application of GDPR in general. As a result, the forum can legally transfer data between EU and Canada, and perform their data processing activities of EU citizen personal data in Canada. However, that does not exclude the possibility that any EU citizen can ask for his GDPR rights to be enforced referring to the EU legislation, and not the Canadian one. What is interesting, however, is that at a quick glance I noticed the same principles and also rights in the Canadian version, so I might be wrong, but I think the implementation guidelines should be quite similar. 

 

In terms of being user-friendly and privacy-centric the current Privacy Policy is taking big steps towards that, but it should not be "complied and now done" approach, but instead a process. 

 

For instance: 

 

a) Clarification on data retention periods and if applicable their legal basis

b) You further send data to the USA (IPS, Inc), where do they send it to?

c) Do you have data processing agreements with these companies? 

 

So, a really good start, but definitely not the finish line as far as compliance goes. 

 

[AlTech]

On 12/1/2018 at 5:16 PM, colonel_mortis said:

The full legal text for that section is [1]

Based on that text, there is nothing more that we need to do in that respect.

Data processing of European citizens is covered by the General Data Protection Regulation, but other European regulations, and laws in the respective states do not apply. Your use of the site is governed by Canadian Law ∪ GDPR, not by European Law or English Law (or the law of any other member states)

Okay but what about this?

Quote

The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.

At the end of the day, the forum still processes data from EU Citizens regardless if it is transferred to Canada. Under GDPR, the data must still be treated as if it is from the EU and LMG, as they are a non-EU business, would need a company in the EU to represent them if they want to offer services to EU citizens.

 

And also on a completely different note, how do you plan to comply with the GDPR if a forum member is suspended or banned and wants to have all their data about them removed or anonymized?

[colonel_mortis]

1 hour ago, AluminiumTech said:

Okay but what about this?

At the end of the day, the forum still processes data from EU Citizens regardless if it is transferred to Canada. Under GDPR, the data must still be treated as if it is from the EU and LMG, as they are a non-EU business, would need a company in the EU to represent them if they want to offer services to EU citizens.

Yes, this is something that we are looking into.

1 hour ago, AluminiumTech said:

And also on a completely different note, how do you plan to comply with the GDPR if a forum member is suspended or banned and wants to have all their data about them removed or anonymized?

We are happy to discuss that on a case-by-case basis through the Contact Us form.