General Data Protection Regulation (“GDPR”)

44 readers

3 users here now

Everything related to the #GDPR is discussed here. This is the first and only community specifically for GDPR topics which is decentralized and outside of walled-gardens. #EDPB recommendations and guidance can and should also be discussed here.

For the moment, chatter on the similar California Consumer Privacy Act (CCPA) could be discussed at least until the volume of messages compels us to split it into a separate community.

founded 9 months ago

MODERATORS

freedomPusher@sopuli.xyz

How data controllers bypass the GDPR (contracts!) (sopuli.xyz)

submitted 6 months ago* (last edited 6 months ago) by freedomPusher@sopuli.xyz to c/gdpr@sopuli.xyz

0 comments fedilink hide all child comments

This is a seriously big loophole. Paraphrasing the various positions:

Data Controller:

“data collection is legal because we have a contract with the data subject” (iow, they claim Art.6.1(b) as the legal basis for processing)

Data Subject:

“There is no contract. I did not agree to a contract.”

Supervisory Authority:

“we do not act on contract issues”

EDPB:

“the scope of the GDPR does not include harmonization of national provisions of contract law”

I’m not finding it ATM, but somewhere in the GDPR or EDPB guidelines it says something to the effect of contract law varying across all member states, and therefore the GDPR is not applicable to contract matters and the validity of contracts cannot be assessed.

So, WTF? It’s a blatant abuse flying in the face of the GDPR when a data controller simply falsely claims a contract is in play. Since the SAs opt-out of regulating contract cases, this leaves data subjects with only direct court action.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here