-
Non lfgss GDPR question.
I've received an email from Sigma Sports saying here's our new privacy policy, you accept this by shopping with us and we'll carry on sending you emails.
Now I've never signed up to their mailing list other than what I suspect was a pre-ticked tick box at their checkout at some point. By my understanding this no longer constitutes consent for them to email me and I should have been asked again for consent or removed from their mailing list.
I have unsubscribed but are they breaking the law by just continuing to email all their auto signed up mailing list? -
Yeah but its still one ground and since they didn't receive my consent in a way which meets the new rules, they should reapply for it with me no?
An automatically ticked box doesn't count as consent and I wouldn't have ticked to receive marketing. They also must store information on how they received my consent so I suppose I could ask them. -
Here’s a bit of sanity after a week’s inbox insanity. Tin hat brigade, this is for you. https://www.bbc.co.uk/news/amp/technology-44240664?__twitter_impression=true
-
Received my first GDPR request for a forumenger this morning.
I'll repeat my earlier statements: I have deleted everything that is not visible via the public API including all Google Analytics, server logs, HTTP logs from the load balancer, orphaned content in the database, etc.
The link in the first comment in this conversation to search for your content is what you need to use to see everything I hold about you... you only have to change the user ID to your user ID in the URL of your profile page to see all of your data including private messages, etc.
There is nothing else I hold. Everything else has been deleted.
-
Very clean work on this, it seems to me.
-
Yes.
I'm still not totally sure of what my obligations are, or the legal ramifications from failing to fulfil them, or the requirements of a data officer WRT to GDPR.
So... just holding no data whatsoever outside of that which you can access via the public website and API... that's an excellent position to be in.
The only possible thing I can anticipate that might be problematic in future is if someone requests data, but does not have any way to prove that they have the right to it. As in... we purely identify based on email address and have no other means at all, and if you have lost access to an email address but wish to make a data request then there is no way that I could ever fulfil that as you'd need to prove you were the individual who owns the email address for me to release data to you... and you wouldn't be able to produce such proof that could convince me if you didn't still have access to the email address (as just saying "but the email is my name" is not a strong assertion that you once had ownership of the email).
-
I'm pretty sure I read in one of the many ico documents that an email address can be considered personal data if it has an individual's name in it.
All in all the GDPR is hopelessly vague, the ico guidelines were still unfinished last time I checked them last week. It's impossible to know how to apply them without professional help really. You just have to do the best you can and try to make sure if you ever get pulled up on something that you can show good intent.
-
It's not whether it's considered personal data, but whether you could use your identity to assert ownership of the email address.
i.e. if you go and create an email address that is david.kitchen.6577@gmail.com and I turn around and say "but my identity documents show that is my name and I declare that I own that email address"... then you will rightly read this as rubbish, because you have that email.
Therein is the problem, if someone is on the forum with john.smith@theirworkplace.com as the identity of their account and the only way I have to know that they own and have right to the data... and they lose access to that email address. How can they prove that they really did own that email, remember that the penalties for giving out data or leaking it are severe and yet I know of no penalty for refusing such a request on the grounds that you cannot convincingly prove that you really are the entity that controls an email.
-
No issue storing emails.
They are required for the system to operate, are required for fraud and spam detection, are required for transaction updates, and I do not store real identity or other data points that would make them more sensitive than they are already.
So long as I take storage of data seriously, ensure it is secure, that backups are secure, and that they are not trivially leaked, etc... then everything required of me is fulfilled.
GDPR does not prohibit storing of data, it merely regulates access and dictates a minimum baseline for how to treat that data and make it available to the entity that owns the data.
-
Do you also have an obligation to let all users whose data you do have ie their email addresses, know what data you have stored about them and how it’s used? I don’t think a post in this thread saying you’ve deleted it is sufficient if so.
Do you need to create some kind of privacy policy which states clearly the data which you hold (email addresses), why it’s used (log in and spam detection etc) and that it isn’t shared with any third party?
hippy
Dammit
PhilDAS
umop3pisdn
Howard
Sharkstar
Aroogah
Oliver Schick
pdlouche
Danners
dubtap
Greenbank-
Post a reply
About
GDPR fun
Posted by
@Velocio
Where are the servers upon which LFGSS runs physically based? i.e. eu-west-3/whatever.