Back to the Grind-r. Long thread / deep dive on the @Datatilsynet opinion and why it is important for scope of consent, sensitive information, manifestly made public and more 1/20
Consent as the legal basis for targeted ads: As a rule, any extensive disclosure to third parties of personal data for advertising purposes should be based on the data subject’s consent, as the other legal bases in Article 6(1) would not seem fit or adequate in this context 2/20
The fact that few complaints have been filed by data subjects doesn't mean a low level of damage suffered. Few people have the initiative to sue and many don't understand the complex processing enough to sue 3/20
You are responsible for controlling your data sharing. If you are only transmitting an opt-out signal and have to rely on the actions of others to halt sharing you are in breach of your duties under Art 5(2), 24, 25. 4/20
The controller's financial situation and the fact that they profited from the infringement (e.g. due to advertising) are aggravating factors. 5/20
Freely given:
Where there are several processing operations: if the data subject cannot identify and opt in to the processing purposes for which the data subject wishes to give his or her consent, and refuse consent to other processing purposes - there is no free choice. 6/20
A 'take it or leave it' situation for the individual is not compliant.
Accepting a privacy policy in its entirety is not compliant.
Sharing personal data with advertising partners is a different processing operation than processing that is necessary for providing the app. 7/20
Provision of behavioral advertisement is not an essential or objectively necessary part of the service 8/20
If consent is required it is not sufficient to provide an opt-out after the fact.
It's not a real opt out if it does not completely prevent the sharing but rather only alerts parties downstream that an opt out has been selected. 9/20
If you are presenting a paid no-tracking alternative: (1) the alternative service needs to be genuinely equivalent; (2) you must present it as an alternative and not just something with additional features; (3) you must present the option in time (before asking for consent) 10/20
The consent request for a specific processing purpose must not only be separate from accepting terms of use, but must also be separate from indications of wishes concerning other data processing purposes 11/20
Information that is relevant for the particular consent request should be highlighted in the request and not solely appear amongst all other information in a long privacy policy 12/20
If the controller does not provide accessible information, user control becomes illusory and consent will be invalid. 13/20
It is not clear to a data subject that pressing “Accept” to the phrase “I accept the Privacy Policy” entails consenting sharing data with advertising partners for behavioral advertisements. 14/20
You don't have to require disclosure of the data subject’s particular sexual orientation in order to fall under the Art 9 requirement of "concerning sex life or sexual orientation". 15/20
It is not necessary to demonstrate that a specific processing has led or is likely to actual harm or damage in order to fall within the scope of Article 9(1). 16/20
spreading personal data and specifically special category data can put a data subject’s fundamental rights and freedoms at risk, such as the right to privacy and non-discrimination. This does not only apply in the digital world, but also in the physical world. 17/20
The sharing of personal data concerning a natural person’s “sexual orientation” to advertising partners is sufficient to trigger Article 9, irrespective of how the data is further processed by the data controllers the data was disclosed to 18/20
t must be obvious that the data subject has meant to make the information in question available to the public; Requires an affirmative act that data subject realized that this would be the result
Including information in a privacy policy is not sufficient 19/20
The processing of a data subject’s location information can be a highly intrusive act, depending on the circumstances. Combined with special categories or not, GPS location could put certain individuals at risk for different reasons. 20/20
• • •
Missing some Tweet in this thread? You can try to
force a refresh
- Vehicle manufacturers have to observe GDPR when collecting and processing data. The customer's consent to the use of their data (e.g. on-board systems such as car apps) should always obtained when purchasing. 2/5
GDPR is a good foundation for ensuring data protection for data collected, processed and stored by modern vehicles. The legal requirements on "privacy by design" and "privacy by default" are important cornerstones to take into account when developing products. 3/5
Storage and access includes: access to hardware device identifiers, advertising identification numbers, telephone numbers, SIM card serial numbers (IMSI), contacts, call lists, Bluetooth beacons or SMS communication, MAC addresses and browser fingerprinting. 2/11
You can get consent to store and access information and consent for further processing under GDPR 6(1)(a) at the same time if: you inform the users of all purposes (including of the subsequent processing), and it is clear to the user that several consents are given at once 3/11
I can feel something inside me say
I really don't think (your legitimate interest) is strong enough now
- says @Datatilsynet to Shinigami Eyes browser extension. (Thread while you hum the Cher song in your head) 1/6
The data subjects’ interests, rights and freedoms precedes Shinigami Eyes’ interest in providing their marking-application 2/6
The individuals had no knowledge of the processing and no way to expect that their messages or behavior on certain social media pages will be processed on the extension or communicated to all who download it 3/6