Back to the Grind-r. Long thread / deep dive on the @Datatilsynet opinion and why it is important for scope of consent, sensitive information, manifestly made public and more 1/20
Consent as the legal basis for targeted ads: As a rule, any extensive disclosure to third parties of personal data for advertising purposes should be based on the data subject’s consent, as the other legal bases in Article 6(1) would not seem fit or adequate in this context 2/20
The fact that few complaints have been filed by data subjects doesn't mean a low level of damage suffered. Few people have the initiative to sue and many don't understand the complex processing enough to sue 3/20
You are responsible for controlling your data sharing. If you are only transmitting an opt-out signal and have to rely on the actions of others to halt sharing you are in breach of your duties under Art 5(2), 24, 25. 4/20
The controller's financial situation and the fact that they profited from the infringement (e.g. due to advertising) are aggravating factors. 5/20
Freely given:
Where there are several processing operations: if the data subject cannot identify and opt in to the processing purposes for which the data subject wishes to give his or her consent, and refuse consent to other processing purposes - there is no free choice. 6/20
Where there are several processing operations: if the data subject cannot identify and opt in to the processing purposes for which the data subject wishes to give his or her consent, and refuse consent to other processing purposes - there is no free choice. 6/20
A 'take it or leave it' situation for the individual is not compliant.
Accepting a privacy policy in its entirety is not compliant.
Sharing personal data with advertising partners is a different processing operation than processing that is necessary for providing the app. 7/20
Accepting a privacy policy in its entirety is not compliant.
Sharing personal data with advertising partners is a different processing operation than processing that is necessary for providing the app. 7/20
Provision of behavioral advertisement is not an essential or objectively necessary part of the service 8/20
If consent is required it is not sufficient to provide an opt-out after the fact.
It's not a real opt out if it does not completely prevent the sharing but rather only alerts parties downstream that an opt out has been selected. 9/20
It's not a real opt out if it does not completely prevent the sharing but rather only alerts parties downstream that an opt out has been selected. 9/20
If you are presenting a paid no-tracking alternative: (1) the alternative service needs to be genuinely equivalent; (2) you must present it as an alternative and not just something with additional features; (3) you must present the option in time (before asking for consent) 10/20
The consent request for a specific processing purpose must not only be separate from accepting terms of use, but must also be separate from indications of wishes concerning other data processing purposes 11/20
Information that is relevant for the particular consent request should be highlighted in the request and not solely appear amongst all other information in a long privacy policy 12/20
If the controller does not provide accessible information, user control becomes illusory and consent will be invalid. 13/20
It is not clear to a data subject that pressing “Accept” to the phrase “I accept the Privacy Policy” entails consenting sharing data with advertising partners for behavioral advertisements. 14/20
You don't have to require disclosure of the data subject’s particular sexual orientation in order to fall under the Art 9 requirement of "concerning sex life or sexual orientation". 15/20
It is not necessary to demonstrate that a specific processing has led or is likely to actual harm or damage in order to fall within the scope of Article 9(1). 16/20
spreading personal data and specifically special category data can put a data subject’s fundamental rights and freedoms at risk, such as the right to privacy and non-discrimination. This does not only apply in the digital world, but also in the physical world. 17/20
The sharing of personal data concerning a natural person’s “sexual orientation” to advertising partners is sufficient to trigger Article 9, irrespective of how the data is further processed by the data controllers the data was disclosed to 18/20
t must be obvious that the data subject has meant to make the information in question available to the public; Requires an affirmative act that data subject realized that this would be the result
Including information in a privacy policy is not sufficient 19/20
Including information in a privacy policy is not sufficient 19/20
The processing of a data subject’s location information can be a highly intrusive act, depending on the circumstances. Combined with special categories or not, GPS location could put certain individuals at risk for different reasons. 20/20
• • •
Missing some Tweet in this thread? You can try to
force a refresh
