GDPR

ardinn

So how many E-mails have you recieved?

Ive had about 40

It's so nice to ignore them and finally be free of the savage amount of sh1te I signed up for

Mr. CooL ICE

Q: What's a pirate's favourite monetary measure of the market value of all final goods and services produced in a period of time?

A: GDP Aaaaaarrgh.

Squatter

ardinn wrote: »

So how many E-mails have you recieved?

Ive had about 40

It's so nice to ignore them and finally be free of the savage amount of sh1te I signed up for

Ditto and ditto!

It's a right pain in the arse to implement though! I do some work for a voluntary group and the amount of new red tape that it has brought about for our tiny community organisation is completely insane. The EU's "one size fits all" approach is complete nonsense.

Bob24

ardinn wrote: »

So how many E-mails have you recieved?

Ive had about 40

It's so nice to ignore them and finally be free of the savage amount of sh1te I signed up for

40-50 if you are talking all GDPR related emails, but maybe more like 15-20 if you only talking about the one asking for conscent (of which only one lead to me providing conscent).

Mint Sauce

Before I had even heard of GDPR last week, had actually unsubscribed to several. This week I have still received the same anount of crap, due to the constant reminders from the companies I had not unsubscibed from.



After friday, my in box is going to feel quite empty.

Ficheall

It's a pain in the fecking arse for anyone running a club etc.





Though I did like Deliveroo's free delivery incentive to encourage people to re-sign up for their emails. Fair play..

Bob24

Squatter wrote: »

It's a right pain in the arse to implement though! I do some work for a voluntary group and the amount of new red tape that it has brought about for our tiny community organisation is completely insane. The EU's "one size fits all" approach is complete nonsense.

I get your point, but having said that I find small organsations have been amongst the most likely to start sending me newsletters without me asking for it (just send an email to ask about something else or register for an event and you end up on a mailing list without anyone asking you if you’re interested). Not saying it is the case of all of them of course.

Grayson

I don't mind all the mails telling me I won't get any more mails. I'm looking forward to being auto removed from mailing lists.

Ubbquittious

I even got a physical letter in the actual postbox in real life about this bloody giddapoor

_Kaiser_

Grayson wrote: »

I don't mind all the mails telling me I won't get any more mails. I'm looking forward to being auto removed from mailing lists.

A lot of them don't seem to be though - more a "unless you say otherwise we'll keep you on the list but here's our updated terms"

Bob24

_Kaiser_ wrote: »

A lot of them don't seem to be though - more a "unless you say otherwise we'll keep you on the list but here's our updated terms"

Implicit consent is not acceptable with GDPR. You need explicit consent.

Lucifer

Bob24 wrote: »

Implicit consent is not acceptable with GDPR. You need explicit consent.

That only applies to new contact after the start date. If you are on an active list before that they don't have to remove you. Only going forward does the new rules apply

https://touch.boards.ie/thread/2057874872/1/

Bob24

Lucifer wrote: »

That only applies to new contact after the start date. If you are on an active list before that they don't have to remove you. Only going forward does the new rules apply

https://touch.boards.ie/thread/2057874872/1/

If your consent was obtained implicitly to be on a mailing list before GDPR, that consent will become invalid starting from tomorrow.

So there is absolutely no point in seeking implicit content today as per the emails the poster said they have received.

EdgeCase

I'd a company ini the US decline to sell me stuff due to the GDPR as they were unable to comply. They just said they're no longer serving customers in the EU.

Lucifer

I'm quoting another poster from the other thread


I double checked my interpretation of things this morning by calling the Data Protection office and what I was told is as follows:

1) If users are engaging with a company or business online and are already on a user list, existing consent is implied so the existing users/customers re-consent is not needed.

2) Positive consent is needed for all new users / customers from tomorrow.

Note: Pre-selected consent check boxes won't be acceptable. In most cases check boxes are being used, so just ensure they're not pre-filled.

3) Businesses that are requesting re-consent from their existing email/user lists are doing so as a matter of good practice, but they are not obliged to do so.

4) A business must ensure they have a data retention policy documented and available for existing and potential customers.

What if a business has an old unused email list?
If a business has built up an email list but for whatever reason has never used it, this falls into a grey area. However, they can mitigate the effects of the incoming rules by sending an email to their list today explaining their GDPR and data retention policy etc. This email will be looked upon as the business engaging with their email lists. If following this email users do not request removal then continuing consent will be implied, as per item 1 above. Of course retention policies must be acted upon!

I am not a legal expert so you can verify details of my post by contacting the Data Protection Commission on +353 (0)761 104 800

Bob24

Lucifer wrote: »

1) If users are engaging with a company or business online and are already on a user list, existing consent is implied so the existing users/customers re-consent is not needed.

This is only correct if consent to be on that list was obtained based on GDPR principles - and there is no more notion of implicit consent with GDPR (so if an organisation had implicit consent from you to be on a mailing list, that consent definitely won’t be valid anymore starting tomorrow regardless of when it was obtained)

This is clearly laid-out in recital 171 of GDPR, and explained here in plain English with exemples on the EC’s website: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/does-consent-given-25-may-2018-continue-be-valid-once-gdpr-starts-apply-25-may-2018_en

P_1

Having to arrange this in work is a massive pain in the hoop

hatrickpatrick

Homebrew West emailed yesterday offering discounts to anyone who opted in to their newsletter, happy days indeed

What I'm wondering is, why have we not had any emails yet from Nigerian Princes? Are they intending to simply forgo EU citizens as prospective lucky randomers to split their fortunes with, in order to avoid extra red tape? I for one would find this highly offensive. Down with the EU! :mad:

RacoonQueen

Annoying some emails have an opt in, some are opt out, some are do nothing and you'll be opted out. So you still kinda need to read them all. Annoying when you get GDPR emails from something you've already opted back in to though.

Your Face

Its handy - an easy way to unsubscribe from places Ive forgotten about.

Alun

Squatter wrote: »

It's a right pain in the arse to implement though! I do some work for a voluntary group and the amount of new red tape that it has brought about for our tiny community organisation is completely insane. The EU's "one size fits all" approach is complete nonsense.

I agree, I'm in the same boat. It's difficult enough for us to find people to serve on the committee as it is, without having to find someone to deal with this kind of stuff.

Beasty

For me this whole thing has brought about a mass of e-mails linking to complex disclosures that few people will ever read in their totality. It does beg a question as to whether this is ultimately achieving much in the way of additional protection. Those already selling off your details to dodgy marketing companies may well continue, and given the scale of the digital world/economy trying to get your head around exactly what you are consenting to is a complete PITA

Add to that examples already mentioned of non-EU based businesses no longer wanting to deal with people based in the EU, it makes you wonder if they are throwing the baby out with the bathwater here

SeaFields

Boards hasn't emailed me ...



/Puts on tinfoil hat

Beasty

SeaFields wrote: »

Boards hasn't emailed me ...



/Puts on tinfoil hat

Check the announcement

hatrickpatrick

RacoonQueen wrote: »

Annoying some emails have an opt in, some are opt out, some are do nothing and you'll be opted out. So you still kinda need to read them all. Annoying when you get GDPR emails from something you've already opted back in to though.

Agreed. The system which was brought in for premium text scams after the outcry over kids unknowingly getting charged €2 a week for daily "free" ringtones etc would be far better - by law, the word "STOP" indicates an opt out, end of story, for every mobile service.

Danny Donut

Yes, I'm pee'd off with all these companys that I supposedly signed up for - in return for being alowed to buy their stuff!


Though at the mo I'm really staggered by Morgan Freeman - I mean ffs

To anyone assuming you can ignore the mails and it'll be an auto clear out, they're not all opt in. A number of them are using the old 'if you don't do anything we'll assume you have opted in'.

Princess Consuela Bananahammock

bluewolf wrote: »

To anyone assuming you can ignore the mails and it'll be an auto clear out, they're not all opt in. A number of them are using the old 'if you don't do anything we'll assume you have opted in'.

They';; still be redirected to the spam box.

wellwhynot

Is the deadline from midnight tonight or midnight tomorrow night?

What about clients who have an ongoing relationship with for many years but they did not respond to your opt in again email. Do we have to remove them? Can we not contact them unless they contact us first?

LirW

I see that from a bit of a different perspective, I was originally trained and worked in a Film related field. Filmmakers and photographers face some really fun times, prepare to read about some ridiculous lawsuits in the near future.

c.p.w.g.w

EdgeCase wrote: »

I'd a company ini the US decline to sell me stuff due to the GDPR as they were unable to comply. They just said they're no longer serving customers in the EU.

Wow must be selling a lot of customer information

pickarooney

Absolute pain in the hole. Being hammered with mails and calls from frantic customers for a month or two and it took until yesterday to finally get the bigwigs in the company to agree to have a meeting to decide what they might do for the 20,000 clients and those clients' 1,500,000 clients when the thing comes into effect tomorrow.

Bob24

And the GDPR party has begun: https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf

Coordinated complaints for forced consent across 4 EU data regulators against Facebook and Google.

Fr_Dougal

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

Beasty

Fr_Dougal wrote: »

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

Does it not depend on whether you have already "opted in" in a GDPR compliant manner?

I suspect a lot are trying to hide behind this, possibly on the basis they have seen so many others only allowing the opt-out option (which was already, to some extent at least, there with unsubscribe links - now they have to delete as well as stopping sending marketing material though)

razorblunt

It's really annoying, so many companies have gotten the basic concept wrong. I've heard of one company who listed all their contacts in the TO field, I received another that had GPDR in the subject line and then went on to reference GDRP, twice, in the email itself.

Not to mention the companies saying "do nothing to ensure you keep receiving the mails" or "update your preferences to unsubscribe". Is the general concept that a non reply by tonight means they drop me off their mail lists completely?

Fr_Dougal

Beasty wrote: »

Does it not depend on whether you have already "opted in" in a GDPR compliant manner?

I suspect a lot are trying to hide behind this, possibly on the basis they have seen so many others only allowing the opt-out option (which was already, to some extent at least, there with unsubscribe links - now they have to delete as well as stopping sending marketing material though)

No, they have to restate what they do with your information, and you have to give explicit consent.

I had one recruitment company spam the bejaysus out of me telling me that *I* needed to be GDPR compliant and needed to update my preferences. This company was formed in 2016, and I haven’t been job hunting in a long time.

They’d obviously bought some marketing lists or data off another company and were trying to cover their own asses. An email to them telling them that I would be making a complaint on the 25th sorted them out, eventually.

I would advise people to be careful with these GDPR emails, there are instances of email addresses/websites being spoofed and malware being unwittingly downloaded.

RoboRat

Fr_Dougal wrote: »

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

Not true, if you have been contacted within 12 months and the option to opt out/ unsubscribe was on the communication, then it's considered a 'soft' opt in as long as the communication is related to products/ services that you originally purchased/ enquired/ signed up to.

Anything moving forward has to be 'hard' opt in as in you actually consent to be marketed to and should a company get audited, they will need to prove this during the audit. Companies will also have to furnish a document should they be audited that details why they are contacting and the purpose/ benefit for both parties. Same applies for CCTV, there has to be clear signage and reasoning and covert surveillance is a massive no no (exceptions being the Guards).

Litigation for data breach will be the new injury claim and I can see quite a few companies being nailed for scams pertaining to an employees non compliance to a clean desk policy.

Also, any of the major companies who get hacked could end up bankrupt... imagine the details of 500,000 people being hacked - that's potentially 500,000 claims if they are found to be at fault.

Bob24

Beasty wrote: »

Does it not depend on whether you have already "opted in" in a GDPR compliant manner?

No sure I fully get you. If you mean that if someone already provided consent in a GDPR compliant manner 2 years ago that consent is still valid today, yes that is definitely correct.

But then in that situation there was no need to send any email to ask for consent again.

So there is no situation whereby it makes sense to have sent a opt-out emails in the past few days really: either the organisation already has explicit consent and no further email was required, or they only had implicit consent and and opt-out email won’t have changed anything for them (that consent is not valid anymore as of today).

razorblunt

Bob24 wrote: »

And the GDPR party has begun: https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf

Coordinated complaints for forced consent across 4 EU data regulators against Facebook and Google.

"Headquater"

Is that, like, a hole in the head?

Bob24

RoboRat wrote: »

Not true, if you have been contacted within 12 months and the option to opt out/ unsubscribe was on the communication, then it's considered a 'soft' opt in as long as the communication is related to products/ services that you originally purchased/ enquired/ signed up to.

There are 2 situations:
- either the emails / data processing is part of the core product/service you purchased or subscribed to, and then no consent is required whatsoever (being opt-in or opt-out)
- or it is not part of that core service/product and then previous implicit (opt-out) consent is not valid anymore regardless of when it was obtained, and new explicit (opt-in) consent is required

So sending opt-out based emails in the past few days didn’t really make sense from a GDPR perspective.

RoboRat

Bob24 wrote: »

No sure I fully get you. If you mean that if someone already provided consent in a GDPR compliant manner 2 years ago that consent is still valid today, yes that is definitely correct.

But then in that situation there was no need to send any email to ask for consent again.

So there is no situation whereby it makes sense to have sent a opt-out emails in the past few days really: either the organisation already has explicit consent and no further email was required, or they only had implicit consent and and opt-out email won’t have changed anything for them (that consent is not valid anymore as of today).

Depends if they contacted you within 12 months. If they didn't, then they needed to seek it again. Each communication extends that term if you are offered the opt-out and don't take it.

In regards to implicit consent (soft opt in), it is still valid as long as the option to opt out has always been there and you have been contacted within 12 months, and the communication is applicable to you and their reasoning for storing your data in the first place... ie, if a company has your details pertaining to an interaction about windows, they can't contact you about cars.

Bob24

RoboRat wrote: »

Depends if they contacted you within 12 months. If they didn't, then they needed to seek it again. Each communication extends that term if you are offered the opt-out and don't take it.

In regards to implicit consent (soft opt in), it is still valid as long as the option to opt out has always been there and you have been contacted within 12 months, and the communication is applicable to you and their reasoning for storing your data in the first place... ie, if a company has your details pertaining to an interaction about windows, they can't contact you about cars.

There is absolutely no situation whereby opt-out based consent (regardless of when it was obtained) is valid under GDPR.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/does-consent-given-25-may-2018-continue-be-valid-once-gdpr-starts-apply-25-may-2018_en

(and see recital 171 for the exact legal wording)

Blowfish

Bob24 wrote: »

This is only correct if consent to be on that list was obtained based on GDPR principles - and there is no more notion of implicit consent with GDPR (so if an organisation had implicit consent from you to be on a mailing list, that consent definitely won’t be valid anymore starting tomorrow regardless of when it was obtained)

This is clearly laid-out in recital 171 of GDPR, and explained here in plain English with exemples on the EC’s website: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/does-consent-given-25-may-2018-continue-be-valid-once-gdpr-starts-apply-25-may-2018_en

That's not actually true. GDPR allows processing for the legitimate interest of the business. The ePrivacy Directive then covers this and explicitly does allow implicit (i.e. opt out) communications once you have had business dealings. The primary area you see this is if a retailer gets your details via you buying something online. They are then absolutely legally allowed to send you further marketing mails, even post GDPR, as long as they provide the opt out option.

Fr_Dougal wrote: »

Emails asking you to ‘opt out’ are not inline with GDPR, they should all be ‘opt in’.

Mickey Mouse companies have the ‘opt out’ option.

As above, this is completely legal as long as you have had actual business or transactions with them before. If you didn't though, they do have to remove you as they don't have no legal basis to contact you.

BrookieD

Squatter wrote: »

Ditto and ditto!

It's a right pain in the arse to implement though! I do some work for a voluntary group and the amount of new red tape that it has brought about for our tiny community organisation is completely insane. The EU's "one size fits all" approach is complete nonsense.

I disagree but i do hear you - I am working on same for a non-profit and the work load is insane.

RoboRat

Bob24 wrote: »

There are 2 situations:
- either the emails / data processing is part of the core product/service you purchased or subscribed to, and then no consent is required whatsoever (being opt-in or opt-out)
- or it is not part of that core service/product and then previous implicit (opt-out) consent is not valid anymore regardless of when it was obtained, and new explicit (opt-in) consent is required

So sending opt-out based emails in the past few days didn’t really make sense from a GDPR perspective.

There is a third situation whereby the data was collected for say using a companies wi-fi or entering a competition or in most cases, they are unsure if where they originally got the data but it wasn't purchased... somewhere along the line the data was obtained by the company for some interaction and they have been using the data and not lapsing.

In this scenario best practice would be to send out a communication outlining your privacy policy and asking the customer if they would like to opt-out.

Bob24

Blowfish wrote: »

That's not actually true. GDPR allows processing for the legitimate interest of the business. The ePrivacy directive then covers this and explicitly does allow implicit (i.e. opt out) communications. The primary area you see this is if a retailer gets your details via you buying something online. They are then absolutely legally allowed to send you further marketing mails, even post GDPR, as long as they provide the opt out option.

Of course consent (being opt-in or opt-out) is not required for the process to delivering the core service/product you purchased.

But sending marketing emails is absolutely not covered by this (unless the very service you subscribed to is an advertisement mailing list).

Bob24

Blowfish wrote: »

That's not actually true. GDPR allows processing for the legitimate interest of the business. The ePrivacy Directive then covers this and explicitly does allow implicit (i.e. opt out) communications once you have had business dealings. The primary area you see this is if a retailer gets your details via you buying something online. They are then absolutely legally allowed to send you further marketing mails, even post GDPR, as long as they provide the opt out option.

This is not what I’m reading in the GDPR. They obviously don’t need your consent to send email updates about the status of your order or related to customer service as this is part of the core service your purchases from them.

But marketing emails are not.

What exact points of GDPR are you relying on to say they are?

Blowfish

Bob24 wrote: »

Of course consent (being opt-in or opt-out) is not required for the process to delivering the core service/product you purchased.

But sending marketing emails is absolutely not covered by this (unless the very service you subscribed to is an advertisement mailing list).

Again, the ePrivacy directive does allow this. Here's the exact wording (bolding mine):

(41) Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services, but only by the same company that has obtained the electronic contact details in accordance with Directive 95/46/EC. When electronic contact details are obtained, the customer should be informed about their further use for direct marketing in a clear and distinct manner, and be given the opportunity to refuse such usage. This opportunity should continue to be offered with each subsequent direct marketing message, free of charge, except for any costs for the transmission of this refusal.

In other words, further marketing mails for similar stuff is explicitly allowed, with opt out. For the GDPR, this would be considered as processing under legitimate interest, hence not requiring explicit opt in consent.

RoboRat

Marketing via legitimate interest is allowed under GDPR and as I have detailed above, as long as there has always been an opt-out available and your communications are in relation with how you originally got the data.

You will need a document outlining why the communication took place with the reasoning and the benefits to both the individual and the company. This will only be dealt with on a case by case basis so it's not a loophole, it's there to cover gray areas.

robinph

Ficheall wrote: »

It's a pain in the fecking arse for anyone running a club etc.

Its a pain in the arse because of all the confusion about what needs to be done and scaring lots of voluntary run clubs into doing things they don't need to do, like delete their membership lists or something equally daft. If you've joined a club of some sort and provided them with your contact details then there isn't any need to be getting opt-in/ opt-out messages now. The fact that you joined the club should be sufficient consent that the club then sends you emails about what they are doing.

They probably need to look at who has access to the membership lists and update privacy policies, but no need to be asking for consent for anything as the members are clients of the club and there is an ongoing need for the club to communicate with their members. Your opt out is to leave the club.