GDPR, Data Protection, and misconceptions thereon

[Haywain]

Split from this thread.

Companies selling on this information also becomes a massive problem.

A UK company (indeed an EU company) cannot sell on such information without your permission. I would suggest that as you have strong concerns about data protection you should familiarise yourself with GDPR.

 

[ForTheLoveOf]

A UK company (indeed an EU company) cannot sell on such information without your permission. I would suggest that as you have strong concerns about data protection you should familiarise yourself with GDPR.

Indeed, which would tell you that permission (i.e. consent) is just one of six possible legal bases for processing. It's far easier to avoid giving the information in the first place, than to try and control its distribution once it has been given. However, I don't think there is much of a risk from a TOC's revenue protection operations.

 

[Haywain]

Indeed, which would tell you that permission (i.e. consent) is just one of six possible legal bases for processing. It's far easier to avoid giving the information in the first place, than to try and control its distribution once it has been given. However, I don't think there is much of a risk from a TOC's revenue protection operations.

I don't personally know all the details of GDPR, but I do know that your details can no longer be sold on by any company on a whim without any sort of consultation or prior approval. That's the crucial bit in this case.

 

[Mag_seven]

GDPR

What is "GDPR" please?

 

[ConcernedTok]

I work for a digital company and can attest to the fact that companies in general don't have a good grasp on GDPR just yet. The intentions are good, but in practice are often poor.

In terms of my situation, I didn't understand at the time who I was giving my information too (or what they need it for). Someone writing this down is also a bit of a red flag as opposed to it being digital - what happens to the hard copy, how do they dispose of it etc. There are many ways then that, again not understanding how this information was being used, I was concerned about what it was being used for, with the potential to sell data still an issue.

I know now what and why through reading online and on these boards, but not at the time.

 

[MikeWh]

What is "GDPR" please?

http://lmgtfy.com/?q=gdpr

 

[ForTheLoveOf]

http://lmgtfy.com/?q=gdpr

I think the objection is more to the use of an unexplained acronym. GDPR = General Data Protection Regulation

 

[MikeWh]

I think the objection is more to the use of an unexplained acronym. GDPR = General Data Protection Regulation

How far do we have to go. Should it be "British Broadcasting Corporation (BBC)"?

 

[Mag_seven]

I think the objection is more to the use of an unexplained acronym. GDPR = General Data Protection Regulation

Correct

How far do we have to go. Should it be "British Broadcasting Corporation (BBC)"?

Sorry Mike but with respect its the first time I've ever heard of the acronym GDPR. It being relatively recent and not therefore being in everyday use yet does not make it comparable with the BBC acronym which has been about for years.

 

[MikeWh]

Sorry Mike but with respect its the first time I've ever heard of the acronym GDPR. It being relatively recent and not therefore being in everyday use yet does not make it comparable with the BBC acronym which has been about for years.

Well I must admit to being slightly envious. I, along with everyone else I know, was bombarded with emails from every internet company I'd ever had even a fleeting interaction with in the run up to last May 25th imploring me to agree to continue receiving communications thanks to the new GDPR regulations. I'm pretty sure RailUK must have said "something" on the matter, though I can't recall exactly what.

 

[Mag_seven]

Well I must admit to being slightly envious. I, along with everyone else I know, was bombarded with emails from every internet company I'd ever had even a fleeting interaction with in the run up to last May 25th imploring me to agree to continue receiving communications thanks to the new GDPR regulations. I'm pretty sure RailUK must have said "something" on the matter, though I can't recall exactly what.

I do apologise for my ignorance as I've obviously not being paying attention. I'll write out 1000 times what GDPR stands for.

 

[kristiang85]

Given the stiff penalties for not complying with GPDR, anybody who works in an organisation dealing with any kind of personal data management should have been informed about this - certainly bring it up if you feel its been overlooked in your workplace.

 

[ConcernedTok]

Given the stiff penalties for not complying with GPDR, anybody who works in an organisation dealing with any kind of personal data management should have been informed about this - certainly bring it up if you feel its been overlooked in your workplace.

Going a bit off topic so don't want to go too far down this path, but just to say that we work closely with all of our clients to ensure that they adhere to GDPR rules and requirements.

 

[gray1404]

As far as the law isn’t concerned you must give an address (suitable for summons). Concerns around data protection etc are irrelevant.

Failure to give a (suitable) address leaves one liable to arrest. If a police officer thinks you are liable to disappear for whatever reason, again, he may arrest you to present you before a court. Indeed, I’m a police officer, and have arrested people for silly-minor offences for this very reason. Usually, they realise that it’s a serious matter when the handcuffs go on and suddenly remember their address. I can then deal with the issue by way of a fixed penalty notice or summons/postal charge.

Am I right in saying that if I gave my details to the police then they police cannot pass on those details to other parties. E.g. if you had a dispute with say a civil enforcement officer or a RPI and refused to give your details, if the police arrived and obtained your details then the police cannot pass those details on with your permission as it would be against the Data Protection Act?

 

[island]

Hived off from https://www.railforums.co.uk/threads/prosecution-from-southern-trains.175448/page-3#post-3812266

Am I right in saying that if I gave my details to the police then they police cannot pass on those details to other parties. E.g. if you had a dispute with say a civil enforcement officer or a RPI and refused to give your details, if the police arrived and obtained your details then the police cannot pass those details on with your permission as it would be against the Data Protection Act?

That is not correct.

The GDPR requires that a data controller who is processing of personal data (which would include giving it to other parties) must have one of six lawful bases for processing; these are:

1. The data subject has consented
2. The processing is required for the execution of a contract to which the data subject is a party
3. The processing is in the legitimate interests of the data controller or a third party, unless there is a good reason to protect the personal data
4. The processing is required to protect someone’s life or vital interests
5. The processing is necessary to comply with the law
6. The processing is in the public interest or part of an official function

Consent is therefore not required to process personal data, merely one of six possible bases.

In the case mentioned, the police could use option 3 (legitimate interests of the TOC) or 6 (performing their official function).

 

[Elwyn]

I know from personal experience that the police routinely pass on information to other law enforcement agencies and appropriate organisations. For example, they may deal with someone who has committed an offence like shoplifting or drink driving who has difficulty in establishing their identity. It sometimes emerges that the person is in the country illegally. So the immigration authorities would be notified. Children, vulnerable adults and other categories of people needing assistance may find their details passed to social services. And so on. It has to be for crime prevention or some other sanctioned reason to do with protecting the public. But it doesn’t need consent provided there is a lawful basis for doing it.

 

[221129]

Am I right in saying that if I gave my details to the police then they police cannot pass on those details to other parties. E.g. if you had a dispute with say a civil enforcement officer or a RPI and refused to give your details, if the police arrived and obtained your details then the police cannot pass those details on with your permission as it would be against the Data Protection Act?

No, you're no where near right in saying that...

 

[Bensonby]

Am I right in saying that if I gave my details to the police then they police cannot pass on those details to other parties. E.g. if you had a dispute with say a civil enforcement officer or a RPI and refused to give your details, if the police arrived and obtained your details then the police cannot pass those details on with your permission as it would be against the Data Protection Act?

No, there are exemptions to the data protection act for crime detection purposes and for the purposes of litigation (amongst other exemptions).

 

[Surreytraveller]

No, there are exemptions to the data protection act for crime detection purposes and for the purposes of litigation (amongst other exemptions).

There are not exemptions per se - but the GDPR / DPA (Data Protection Act) 2018 allow organisations to process personal data for any number of legal basis or obligations. As long as they tell you they're doing it, what they're doing, and how they're processing it (in my opinion most failures of GDPR are where organisations don't tell you what they're doing with your data), they don't necessarily need consent.

 

[Surreytraveller]

I do apologise for my ignorance as I've obviously not being paying attention. I'll write out 1000 times what GDPR stands for.

You must have been unconscious for the last 18 months to have not heard of GDPR! Any organisation you have contact with would have communicated to you about it

 

[hooverboy]

I don't personally know all the details of GDPR, but I do know that your details can no longer be sold on by any company on a whim without any sort of consultation or prior approval. That's the crucial bit in this case.

well, most of the banners you e-sign to read newspapers etc are STILL non GDPR compliant.

the new legislation states that:
1) the wording of such forms MUST NOT give the impression of implied consent- so phrases like "got it, continue,OK" etc are not acceptable.This includes the use of large "accept" and small "manage options" hyperlinks or tabs,
2) the option to de-activate,and parameters you wish to decline must be shown in a clear and concise manner.It sholuld also include an "opt-out all" link. Most companies do not do this and expect you to opt out of individual cookies/sites. They are hoping that the long laborious process will wear you out and you'll just click "accept" anyway. Which is not acceptable.

 

[DarloRich]

Sorry Mike but with respect its the first time I've ever heard of the acronym GDPR. It being relatively recent and not therefore being in everyday use yet does not make it comparable with the BBC acronym which has been about for years.

you must be living under a rock! GDPR = General Data Protection Regulation

I honestly don't know how you could have missed it. You must, like me, have had loads of communication about it from seemingly every company you have ever dealt with. Also do you not work? I am surprised that your employer, considering the large potential penalties for breach, has not briefed you on it!

the new legislation states that:
1) the wording of such forms MUST NOT give the impression of implied consent- so phrases like "got it, continue,OK" etc are not acceptable.This includes the use of large "accept" and small "manage options" hyperlinks or tabs,
2) the option to de-activate,and parameters you wish to decline must be shown in a clear and concise manner.It sholuld also include an "opt-out all" link. Most companies do not do this and expect you to opt out of individual cookies/sites. They are hoping that the long laborious process will wear you out and you'll just click "accept" anyway. Which is not acceptable.

best lodge a complaint then! Personally, I am more worried about how my data is stored and secured than how and where they collect it. That such data will be collected is unavoidable in the modern world. How they look after it is most important.

 

[sprunt]

best lodge a complaint then!

In theory, but one could spend forever and a day complaining about all the pre-ticked approval boxes and the "tick the box not to receive lots of spam" messages that are still out there.

 

[sprunt]

Example that I found shortly after posting the above:



It's not as if it's just small operations - this is totally inexcusable for a company the size of Expedia

 

[underbank]

In theory, but one could spend forever and a day complaining about all the pre-ticked approval boxes and the "tick the box not to receive lots of spam" messages that are still out there.

Yep, our local Labour party set up an online petition re parking proposals, but the only way to sign it was by ticking a box online agreeing to be added to their mailing list. Despite many people pointing out that it was in contravention of GDPR, they refused to change it.

 

[hooverboy]

best lodge a complaint then!

looks like someone already has against google, and EU have fined them €50m.

 

[hooverboy]

In theory, but one could spend forever and a day complaining about all the pre-ticked approval boxes and the "tick the box not to receive lots of spam" messages that are still out there.

that's why they are not supposed to be pre-ticked.

FWIW I do support the concept behind GDPR.
it is not the job of a private company to be surveilling citizens for whatever reasons.In my view they should be subject to exactly the same laws as a private citizen would if they were found to be putting bugs or listening devices into the equipment of another individual.

it's illegal and can carry a prison sentence.

even the state does not have that right unless the case is presented to a judge for reasonable suspicion of an offence being committed,and a judge then issues a warrant to permit the gathering of data with a view to a prosecution.

Technically a lot of councils are falling foul of this law as well,because there have been cases of them using such tactics against "bin crime", which is a civil matter, not a criminal one.

 

[Basher]

I'm getting where I do not give my true details to some web sites, or companies. Screw fix always ask me for my name etc. My usual response is Morrison's and Tesco do not ask me, why should you. Have you noticed how some web sites do not give you the option of not having cookies on your PC, so if you wish to enter the site you have to accept them. I vote with my feet and do not enter.

 

[Bletchleyite]

Have you noticed how some web sites do not give you the option of not having cookies on your PC, so if you wish to enter the site you have to accept them

It's a bit difficult to offer "account" type functionality without cookies. This forum, for instance, would not work without them. Cookies have been unfairly demonised due to one specific (mis)use for them, they are essential for the working of all but the simplest text-based static website.

To put another side on that, why, if a site is funded by advertising, should you be admitted to it without taking the advertising? That said, I do like the typical Android/iOS app approach to this - you can have the advertising or you can pay for an advertising free version. As a strong supporter of the BBC licence fee for the same reason, if I find an app useful I pay for there to be no advertising.

 

[sprunt]

To put another side on that, why, if a site is funded by advertising, should you be admitted to it without taking the advertising?

Because the advertising is often, without telling you (or even telling the owners of the sites on which it appears) doing more than just showing you pictures of products and services to enhance your lifestyle - I don't really trust any online adverts not to carry malware.