- From: Simon Steyskal <simon.steyskal@wu.ac.at>
- Date: Wed, 07 Nov 2018 07:25:12 +0100
- To: Rigo Wenning <rigo@w3.org>
- Cc: public-dpvcg@w3.org, Eva Schlehahn <uld67@datenschutzzentrum.de>
Thx for the insights Rigo! On a related note and as an example of what you just highlighted: I just stumbled over following company [1] (located in Finland) that requires one to "consent to receive direct marketing" after getting verified via SMS/call when creating a trial account (which is required in order to be allowed to download a trial version of one of their products) [2]. Upon registration they state that consent can be revoked at any time, however, in their "Privacy Policy" [3] they state the following: 14 RIGHT TO OBJECT PROCESSING The person has the right to object, on grounds relating to his/her particular situation, to the processing of Personal Data which is based on either of the following legal basis for processing: (i) when processing has been found necessary for the purposes of the legitimate interests of Solibri or (ii) when processing has been found necessary in order to protect the person's vital interests. The person however does not have the right to object, if Solibri demonstrates compelling legitimate grounds for the processing which override person's interests or fundamental rights and freedoms. 15 RIGHT TO RESTRICTION OF PROCESSING 15.1 ‘Restriction of processing’ means the marking of stored Personal Data with the aim of limiting its use in the future. 15.2 If the person requests, Solibri must restrict processing in the following situations: (a) the accuracy of the Personal Data is contested by the person, for a period enabling Solibri to verify the accuracy of the Personal Data; (b) the processing is unlawful and the person opposes the erasure of the Personal Data and requests the restriction of its use instead; (c) Solibri no longer needs the Personal Data for the purposes of the processing, but it is required by the person for the establishment, exercise or defence of legal claims; or (d) the person has objected to processing, but verification whether the legitimate grounds of Solibri override those of the person is still ongoing. 16 RIGHT TO BE FORGOTTEN 16.1 The person has the right to have his/her Personal Data erased at his/her request if one of the following grounds applies: (a) the Personal Data is no longer necessary for the purposes for which it was collected or otherwise processed; (b) the person withdraws consent on which the processing is based and where there is no other legal ground for the processing; (c) the person objects to the processing in accordance with Section 14; (d) the Personal Data has been processed unlawfully; or (e) the Personal Data has to be erased for compliance with a legal obligation in Union or Member State law to which Solibri is subject. 16.2 However, Solibri does not have to erase the data based on above grounds to the extent Solibri still needs to process the data: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by law to which Solibri is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health in accordance with legal requirements; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with legal requirements; or (e) for the establishment, exercise or defence of legal claims. --- Especially 14.i, 15.2cd, 16.1c, and 16.2 are in my opinion (as a computer scientist but legal layman) highly problematic. In my understanding, the company basically allows one to revoke consent only, if their "legitimate grounds" for processing personal data do not override those of the person to whom said personal data belongs to?! br, simon [1] https://www.solibri.com [2] https://solution.solibri.com/ [3] https://solibri.com/privacy/privacy-policy.pdf [4] https://solibri.com/privacy/customer-data-processing-annex.pdf --- DDipl.-Ing. Simon Steyskal Institute for Information Business, WU Vienna www: http://www.steyskal.info/ twitter: @simonsteys Am 2018-11-06 18:46, schrieb Rigo Wenning: > On Monday, October 22, 2018 9:49:28 AM CET Simon Steyskal wrote: >> Just out of curiosity, can a EU Member State also >remove< certain >> conditions using national laws? Or similarly, explicitly allow >> the justification of 'legitimate interest' with the help of >> national laws? > > Yes, especially Art. 85 GDPR enables Member states to allow certain > types of data processing in the name of freedom of expression. > Public law also allows things via Art. 6 (1)e. This has been > recognised e.g. for the German Kunsturhebergesetz (KUG) that manages > the right to one's image. > > For legitimate interest, I will refer to Eva. The media industry > believes they can just continue all the tracking under "legitimate > interest". I don't believe so and listening to Koen Lenaerts from > the ECJ, I have even more doubts. A national court will have to > submit such questions to the ECJ as they have to interpret Union > Law. And the ECJ will create a somewhat unified interpretation for > the EU. > > --Rigo
Received on Wednesday, 7 November 2018 06:25:40 UTC