GDPR

pickarooney

Absolute pain in the hole. Being hammered with mails and calls from frantic customers for a month or two and it took until yesterday to finally get the bigwigs in the company to agree to have a meeting to decide what they might do for the 20,000 clients and those clients' 1,500,000 clients when the thing comes into effect tomorrow.

Bob24

And the GDPR party has begun: https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf

Coordinated complaints for forced consent across 4 EU data regulators against Facebook and Google.

Fr_Dougal

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

Beasty

Fr_Dougal wrote: »

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

Does it not depend on whether you have already "opted in" in a GDPR compliant manner?

I suspect a lot are trying to hide behind this, possibly on the basis they have seen so many others only allowing the opt-out option (which was already, to some extent at least, there with unsubscribe links - now they have to delete as well as stopping sending marketing material though)

razorblunt

It's really annoying, so many companies have gotten the basic concept wrong. I've heard of one company who listed all their contacts in the TO field, I received another that had GPDR in the subject line and then went on to reference GDRP, twice, in the email itself.

Not to mention the companies saying "do nothing to ensure you keep receiving the mails" or "update your preferences to unsubscribe". Is the general concept that a non reply by tonight means they drop me off their mail lists completely?

Fr_Dougal

Beasty wrote: »

Does it not depend on whether you have already "opted in" in a GDPR compliant manner?

I suspect a lot are trying to hide behind this, possibly on the basis they have seen so many others only allowing the opt-out option (which was already, to some extent at least, there with unsubscribe links - now they have to delete as well as stopping sending marketing material though)

No, they have to restate what they do with your information, and you have to give explicit consent.

I had one recruitment company spam the bejaysus out of me telling me that *I* needed to be GDPR compliant and needed to update my preferences. This company was formed in 2016, and I haven’t been job hunting in a long time.

They’d obviously bought some marketing lists or data off another company and were trying to cover their own asses. An email to them telling them that I would be making a complaint on the 25th sorted them out, eventually.

I would advise people to be careful with these GDPR emails, there are instances of email addresses/websites being spoofed and malware being unwittingly downloaded.

RoboRat

Fr_Dougal wrote: »

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

Not true, if you have been contacted within 12 months and the option to opt out/ unsubscribe was on the communication, then it's considered a 'soft' opt in as long as the communication is related to products/ services that you originally purchased/ enquired/ signed up to.

Anything moving forward has to be 'hard' opt in as in you actually consent to be marketed to and should a company get audited, they will need to prove this during the audit. Companies will also have to furnish a document should they be audited that details why they are contacting and the purpose/ benefit for both parties. Same applies for CCTV, there has to be clear signage and reasoning and covert surveillance is a massive no no (exceptions being the Guards).

Litigation for data breach will be the new injury claim and I can see quite a few companies being nailed for scams pertaining to an employees non compliance to a clean desk policy.

Also, any of the major companies who get hacked could end up bankrupt... imagine the details of 500,000 people being hacked - that's potentially 500,000 claims if they are found to be at fault.

Bob24

Beasty wrote: »

Does it not depend on whether you have already "opted in" in a GDPR compliant manner?

No sure I fully get you. If you mean that if someone already provided consent in a GDPR compliant manner 2 years ago that consent is still valid today, yes that is definitely correct.

But then in that situation there was no need to send any email to ask for consent again.

So there is no situation whereby it makes sense to have sent a opt-out emails in the past few days really: either the organisation already has explicit consent and no further email was required, or they only had implicit consent and and opt-out email won’t have changed anything for them (that consent is not valid anymore as of today).

razorblunt

Bob24 wrote: »

And the GDPR party has begun: https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf

Coordinated complaints for forced consent across 4 EU data regulators against Facebook and Google.

"Headquater"

Is that, like, a hole in the head?

Bob24

RoboRat wrote: »

Not true, if you have been contacted within 12 months and the option to opt out/ unsubscribe was on the communication, then it's considered a 'soft' opt in as long as the communication is related to products/ services that you originally purchased/ enquired/ signed up to.

There are 2 situations:
- either the emails / data processing is part of the core product/service you purchased or subscribed to, and then no consent is required whatsoever (being opt-in or opt-out)
- or it is not part of that core service/product and then previous implicit (opt-out) consent is not valid anymore regardless of when it was obtained, and new explicit (opt-in) consent is required

So sending opt-out based emails in the past few days didn’t really make sense from a GDPR perspective.

RoboRat

Bob24 wrote: »

No sure I fully get you. If you mean that if someone already provided consent in a GDPR compliant manner 2 years ago that consent is still valid today, yes that is definitely correct.

But then in that situation there was no need to send any email to ask for consent again.

So there is no situation whereby it makes sense to have sent a opt-out emails in the past few days really: either the organisation already has explicit consent and no further email was required, or they only had implicit consent and and opt-out email won’t have changed anything for them (that consent is not valid anymore as of today).

Depends if they contacted you within 12 months. If they didn't, then they needed to seek it again. Each communication extends that term if you are offered the opt-out and don't take it.

In regards to implicit consent (soft opt in), it is still valid as long as the option to opt out has always been there and you have been contacted within 12 months, and the communication is applicable to you and their reasoning for storing your data in the first place... ie, if a company has your details pertaining to an interaction about windows, they can't contact you about cars.

Bob24

RoboRat wrote: »

Depends if they contacted you within 12 months. If they didn't, then they needed to seek it again. Each communication extends that term if you are offered the opt-out and don't take it.

In regards to implicit consent (soft opt in), it is still valid as long as the option to opt out has always been there and you have been contacted within 12 months, and the communication is applicable to you and their reasoning for storing your data in the first place... ie, if a company has your details pertaining to an interaction about windows, they can't contact you about cars.

There is absolutely no situation whereby opt-out based consent (regardless of when it was obtained) is valid under GDPR.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/does-consent-given-25-may-2018-continue-be-valid-once-gdpr-starts-apply-25-may-2018_en

(and see recital 171 for the exact legal wording)

Blowfish

Bob24 wrote: »

This is only correct if consent to be on that list was obtained based on GDPR principles - and there is no more notion of implicit consent with GDPR (so if an organisation had implicit consent from you to be on a mailing list, that consent definitely won’t be valid anymore starting tomorrow regardless of when it was obtained)

This is clearly laid-out in recital 171 of GDPR, and explained here in plain English with exemples on the EC’s website: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/does-consent-given-25-may-2018-continue-be-valid-once-gdpr-starts-apply-25-may-2018_en

That's not actually true. GDPR allows processing for the legitimate interest of the business. The ePrivacy Directive then covers this and explicitly does allow implicit (i.e. opt out) communications once you have had business dealings. The primary area you see this is if a retailer gets your details via you buying something online. They are then absolutely legally allowed to send you further marketing mails, even post GDPR, as long as they provide the opt out option.

Fr_Dougal wrote: »

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

As above, this is completely legal as long as you have had actual business or transactions with them before. If you didn't though, they do have to remove you as they don't have no legal basis to contact you.

BrookieD

Squatter wrote: »

Ditto and ditto!

It's a right pain in the arse to implement though! I do some work for a voluntary group and the amount of new red tape that it has brought about for our tiny community organisation is completely insane. The EU's "one size fits all" approach is complete nonsense.

I disagree but i do hear you - I am working on same for a non-profit and the work load is insane.

RoboRat

Bob24 wrote: »

There are 2 situations:
- either the emails / data processing is part of the core product/service you purchased or subscribed to, and then no consent is required whatsoever (being opt-in or opt-out)
- or it is not part of that core service/product and then previous implicit (opt-out) consent is not valid anymore regardless of when it was obtained, and new explicit (opt-in) consent is required

So sending opt-out based emails in the past few days didn’t really make sense from a GDPR perspective.

There is a third situation whereby the data was collected for say using a companies wi-fi or entering a competition or in most cases, they are unsure if where they originally got the data but it wasn't purchased... somewhere along the line the data was obtained by the company for some interaction and they have been using the data and not lapsing.

In this scenario best practice would be to send out a communication outlining your privacy policy and asking the customer if they would like to opt-out.

Bob24

Blowfish wrote: »

That's not actually true. GDPR allows processing for the legitimate interest of the business. The ePrivacy directive then covers this and explicitly does allow implicit (i.e. opt out) communications. The primary area you see this is if a retailer gets your details via you buying something online. They are then absolutely legally allowed to send you further marketing mails, even post GDPR, as long as they provide the opt out option.

Of course consent (being opt-in or opt-out) is not required for the process to delivering the core service/product you purchased.

But sending marketing emails is absolutely not covered by this (unless the very service you subscribed to is an advertisement mailing list).

Bob24

Blowfish wrote: »

That's not actually true. GDPR allows processing for the legitimate interest of the business. The ePrivacy Directive then covers this and explicitly does allow implicit (i.e. opt out) communications once you have had business dealings. The primary area you see this is if a retailer gets your details via you buying something online. They are then absolutely legally allowed to send you further marketing mails, even post GDPR, as long as they provide the opt out option.

This is not what I’m reading in the GDPR. They obviously don’t need your consent to send email updates about the status of your order or related to customer service as this is part of the core service your purchases from them.

But marketing emails are not.

What exact points of GDPR are you relying on to say they are?

Blowfish

Bob24 wrote: »

Of course consent (being opt-in or opt-out) is not required for the process to delivering the core service/product you purchased.

But sending marketing emails is absolutely not covered by this (unless the very service you subscribed to is an advertisement mailing list).

Again, the ePrivacy directive does allow this. Here's the exact wording (bolding mine):

(41) Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services, but only by the same company that has obtained the electronic contact details in accordance with Directive 95/46/EC. When electronic contact details are obtained, the customer should be informed about their further use for direct marketing in a clear and distinct manner, and be given the opportunity to refuse such usage. This opportunity should continue to be offered with each subsequent direct marketing message, free of charge, except for any costs for the transmission of this refusal.

In other words, further marketing mails for similar stuff is explicitly allowed, with opt out. For the GDPR, this would be considered as processing under legitimate interest, hence not requiring explicit opt in consent.

RoboRat

Marketing via legitimate interest is allowed under GDPR and as I have detailed above, as long as there has always been an opt-out available and your communications are in relation with how you originally got the data.

You will need a document outlining why the communication took place with the reasoning and the benefits to both the individual and the company. This will only be dealt with on a case by case basis so it's not a loophole, it's there to cover gray areas.

robinph

Ficheall wrote: »

It's a pain in the fecking arse for anyone running a club etc.

Its a pain in the arse because of all the confusion about what needs to be done and scaring lots of voluntary run clubs into doing things they don't need to do, like delete their membership lists or something equally daft. If you've joined a club of some sort and provided them with your contact details then there isn't any need to be getting opt-in/ opt-out messages now. The fact that you joined the club should be sufficient consent that the club then sends you emails about what they are doing.

They probably need to look at who has access to the membership lists and update privacy policies, but no need to be asking for consent for anything as the members are clients of the club and there is an ongoing need for the club to communicate with their members. Your opt out is to leave the club.

Bob24

Blowfish wrote: »

Again, the ePrivacy directive does allow this. Here's the exact wording (bolding mine):

In other words, further marketing mails for similar stuff is explicitly allowed, with opt out. For the GDPR, this would be considered as processing under legitimate interest, hence not requiring explicit opt in consent.

Interesting, I was not aware of this.

I guess there is m a grey area around what “similar products and services” means though.

If I buy a TV from Amazon and they subsequently send me a marketting email to offer me a frying pan, does it match the definition?

robinph

Bob24 wrote: »

Interesting, I was not aware of this.

I guess there is m a grey area around what “similar products and services” means though.

If I buy a TV from Amazon and they subsequently send me a marketting email to offer me a frying pan, does it match the definition?

That would be OK as Amazon is a shop for everything primarily, and not a TV shop.

If you were to buy a TV from Currys and they then sent you email marketing for buying a holiday it wouldn't be a similar service though.

CruelCoin

40 personal, around 150+ professional.

I filled in the forms the first 3 times, then have been just auto-deleting.

I wonder how much the EU nanny state has wiped out in trade in this way?

Bob24

robinph wrote: »

That would be OK as Amazon is a shop for everything primarily, and not a TV shop.

If you were to buy a TV from Currys and they then sent you email marketing for buying a holiday it wouldn't be a similar service though.

Your Currys exempel is a clear cut yes. But I don’t know if it is that clear the other way for Amazon. Because of the fact that amazon offers a lot of products doesn’t mean that all the products they offer are “similar”.

There has to be a limit to what is considered “similar”, and that limit can’t be the simple fact that the product is being sold by the same company.

badtoro

Lots, they should do this once or twice a year. The amount of rubbish emails I've unsubscribed from is unreal. I know I could have done that any time, but this was a bit of an opportunity to just do it.

Just received an email for an inactive boards account. 6 years. I'm sure I'm receiving a couple others in unused emails.

Seems like boards is on the ball.

OldMrBrennan83

This post has been deleted.

Jimbob1977

I got a GDPR from Supermacs.

These companies must tear their hair out with the bureaucracy.

Beasty

You might want to check out the current thread in Feedback, particularly from this post (posted earlier this evening) on:

Boards.ie: Niamh wrote: »

To clarify a few questions asked since Sean's announcement yesterday:

Soft-deleted posts
Yes deleted posts will be included in the files a user receives on foot of a GDPR data access request

IPs on anonymous posts
There is an IP address associated with anon posts as with any other post on the site, this will not change. We don't hold/collect/ask for any other information on anonymous posters.

Quoted posts
We're still finalising what legally needs to be done with these and how we will accomplish it, so please bear with us on that particular question.

To clear this up, only Boards staff will process an official data request. If you ask a mod to delete a post it will be soft-deleted in the same way as before.

EdgeCase

robinph wrote: »

Its a pain in the arse because of all the confusion about what needs to be done and scaring lots of voluntary run clubs into doing things they don't need to do, like delete their membership lists or something equally daft. If you've joined a club of some sort and provided them with your contact details then there isn't any need to be getting opt-in/ opt-out messages now. The fact that you joined the club should be sufficient consent that the club then sends you emails about what they are doing.

They probably need to look at who has access to the membership lists and update privacy policies, but no need to be asking for consent for anything as the members are clients of the club and there is an ongoing need for the club to communicate with their members. Your opt out is to leave the club.

Yeah, I've seen that already at two clubs!
They deleted the membership database and in one case also shredded the entire physical database too.