Started by An_dz, June 02, 2018, 02:57:03 AM
0 Members and 1 Guest are viewing this topic.
Quote from: Isaac.Eiland-Hall on June 02, 2018, 04:55:02 AMAre we a Disorganization?
Quote from: IgorEliezer on June 02, 2018, 05:01:51 AMPerhaps a Nopany?
Quote from: An_dz on June 02, 2018, 05:46:25 AMThere are propanies and conpanies.
Quote from: An_dz on June 02, 2018, 05:46:25 AMWell, I like your company
Quote from: An_dz on June 02, 2018, 02:57:03 AMThe GDPR applies only to organisations and companies, we are neither.
Quoteby a natural person in the course of a purely personal or household activity
Quotedurch natürliche Personen zur Ausübung ausschließlich persönlicher oder familiärer Tätigkeiten
Quoteby natural persons to perform exclusively personal or family activities
Quotedurch eine natürliche Person im Rahmen einer rein persönlichen oder haushaltsmäßigen Tätigkeit
QuoteThis Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
QuoteDiese Verordnung gilt nicht für die Verarbeitung von personenbezogenen Daten, die von einer natürlichen Person zur Ausübung ausschließlich persönlicher oder familiärer Tätigkeiten und somit ohne Bezug zu einer beruflichen oder wirtschaftlichen Tätigkeit vorgenommen wird. Als persönliche oder familiäre Tätigkeiten könnte auch das Führen eines Schriftverkehrs oder von Anschriftenverzeichnissen oder die Nutzung sozialer Netze und Online-Tätigkeiten im Rahmen solcher Tätigkeiten gelten. Diese Verordnung gilt jedoch für die Verantwortlichen oder Auftragsverarbeiter, die die Instrumente für die Verarbeitung personenbezogener Daten für solche persönlichen oder familiären Tätigkeiten bereitstellen.
Quote from: jamespetts on June 02, 2018, 10:33:01 AMIt is not at all clear either from the definition or the recital whether an individual running a non-commercial, non-professional website for the pursuit of a personal hobby but which is accessible to the world at large falls within the definition of "personal or household". Arguably, it may well so fall: it is not commercial or professional, and the world at large may access data relating to "social networking and online activity undertaken within the context of such activities".
Quote from: Leartin on June 02, 2018, 01:05:02 PMThe question to ask in case of private websites is not whether it's a personal hobby, nor whether it's accessible to the world. The question is who it is aimed at. Similar to how it applies to those living in Non-EU-Members who aim their offers to EU-citizen (eg. this forum, which not only claims to be international, but also provides subsections in swedish and czech, both only official languages in EU members - as opposed to dutch and italian, which is at least second language somewhere else- and allows the user to pick EU members as their nationality), you'd need to ask if the private website is just for friends and family, or has offers aimed at strangers. Eg. if you make a website/forum for your gaming clan, the intended audience is people from that clan - friends you already know through other means - and not total strangers. On the other hand, if you make a fansite for the game as a whole, the intended audience would be everyone who plays the game, and unless the game itself has some kind of restriction to it (eg. it's your game you made for friends), that means the site needs to comply with the GDPR. While this still leaves room for corner-cases and debate who the intended audience is, it's a lot clearer then asking whether it is a "hobby" or "commercial/professional", since those pretty much don't matter at all for GDPR. (Eg. to consider whether this website falls under GDPR, you don't need to question whether Simutrans is a hobby to Isaac, nor if he hosts because he is a professional host. Both are irrelevant. Is it aimed at a group of friends and family or total strangers? Yes it is. Since it's not hosted in the EU, is it targeted at EU members? As said before, yes it is. Technically, even the international Simutrans Forum would require all the GDPR ***star***.
Quote from: Ters on June 03, 2018, 09:01:10 AMI don't think a 1990s style online guest book counts as personal or household as it is usable (read and write access) by the entire (online) world. However, an old fashioned physical guest book might, as long as the guests are limited to friends and family. GDPR is as far as I understand not limited to data stored and processed electromagnetically. The exemptions are likely aimed at the kind of casual personal information collection taking place in everyday life. Such as your collection of names, phone numbers and maybe birth dates, whether on a piece of paper pinned to the wall next to the rotary phone in the hall, or stored in your personal cloud for use on your smartphone. Or the log of SMS messages received from various people.
Quote from: FrankSticking point is the IP. This is at least in Germany under the personal data.And since the IP is practically always transferred and stored, the GDPR also applies to everyone.
Quote from: jamespetts on June 03, 2018, 08:28:26 AMMay I ask what in the text of the GDPR itself supports that specific construction of "purely personal or household activity" (i.e., that a purely personal or household activity is one that is exclusively aimed at the person's personal friends and family)? That would seem to suggest that a 1990s style "personal home page" with a guest book would not be exempt, which does not seem entirely consistent with the wording of article 2(2) nor recital 18.
Quote from: jamespetts on June 03, 2018, 09:05:29 AMAgain, may I ask: where is this in the text?
Quote from: jamespetts on June 03, 2018, 09:05:29 AMBut what in the text supports this specific interpretation that "purely personal or household" is confined only to interactions with friends and family?
QuoteAn IP is data that can be used to identify a natural person
Quotethe activity of running a hobby website for a non-commercial computer game can well be personal, but if you are aiming that website at strangers, you reach out of your personal bubble, so it's not personal anymore
Quote from: jamespetts on June 03, 2018, 12:12:56 PMWhether something is "aimed at strangers" does not seem to be entirely consistent with the notion of a "purely personal activity" in article 2(2)(c) and expounded upon by recital 18 - one might have a purely personal activity aimed at strangers (as in posting photographs to one's Facebook account with the privacy set to public, for example, or posting photographs to Flickr, assuming in both cases that the photographs are just a personal hobby and not commercial). A good example of a purely personal activity aimed at strangers is online dating: although the companies running the websites are not exempt because their activity is commercial, those who use online dating websites clearly gather and process others' personal data in an activity that is very specifically aimed at strangers, yet it would be odd if that activity were one that is not "purely personal".
Quote from: Leartin on June 03, 2018, 09:48:33 AMI found out that the best way to deal with personal information is to kill everyone, since dead people have no right to privacy. Still, it makes perfect sense to me, so I'm inclined to believe it.
Quote from: Ters on June 03, 2018, 12:46:52 PMI think the vagueness is because technology is moving way faster that legislation.
Quote from: Leartin on June 03, 2018, 01:24:22 PMWhether something is aimed at strangers is only relevant if you also collect their data, since you need to make sure such a data collection would comply to the GDPR, unless the GDPR does not apply. If you are on a dating website, you would trust the provider of that service to handle all the GDPR-things, show a form to every user, let them sign that they are okay with sharing their data etc. - in the end, the user only sees data they are allowed to see under the GDPR anyway, because the service provider needs to make sure that's the case. It's no different from looking for a number in a phone book, or even asking for a number in person.
QuoteSame is true for sharing photos on Facebook: You are fine, since Facebook mostly deals with GDPR-related shenanigans. But once you create your own website and share the photoes there, YOU are the one collecting Information first hand (eg. IP adresses, guestbook data, comments,...) - so now we must decide whether that data collection is "personal-household" or not. As you said, just because it's accessible by everyone does not mean it's not personal. Which criteria would you use to decide, if not the target audience (or in this case: What's on the fotos, and who could be interested in them?).
Quote from: jamespetts on June 03, 2018, 06:10:53 PMThe whole thing is deeply authoritarian and really very, very sinister.
Quote from: jamespetts on June 03, 2018, 06:10:53 PMThat is not a good analogy, as the users would then be data processors rather than exempt, and they would be obliged to handle the data that they see in accordance with the Regulation (and the website providers would have to audit each and every one of their users to demonstrate compliance); but the users do not process data on behalf of the site - they process the data for their own use, and so would be data controllers unless exempt, and thus obliged to have detailed written policies and serve Article 14 notices on each and every person whose profile that they visit (unless they can demonstrate that this would involve "disproportionate effort").
Quote from: jamespetts on June 03, 2018, 06:10:53 PMI would suggest that a sensible interpretation of an activity that is "purely personal or household" is one that is undertaken by a singular individual or a family/household that is not commercial/professional in character. That would be consistent with, e.g., clubs being required to comply with the Regulation but individuals' websites being not so required.
Quote from: Ters on June 03, 2018, 06:49:57 PMWell, I consider those the law is against more sinister. Companies are collecting more information about people than Gestapo, Stasi or KGB ever did.
Quote from: Ters on June 03, 2018, 06:49:57 PMGDPR also restricts what governments can do with personal information. (Although I guess they have some ability to make exceptions for themselves, especially if they play the national security card.)