General Data Protection Regulation (“GDPR”)

44 readers

3 users here now

Everything related to the #GDPR is discussed here. This is the first and only community specifically for GDPR topics which is decentralized and outside of walled-gardens. #EDPB recommendations and guidance can and should also be discussed here.

For the moment, chatter on the similar California Consumer Privacy Act (CCPA) could be discussed at least until the volume of messages compels us to split it into a separate community.

founded 9 months ago

MODERATORS

freedomPusher@sopuli.xyz

Legal theory that obligatory disclosure of email address violates the GDPR minimisation principle (beehaw.org)

submitted 2 months ago* (last edited 2 months ago) by debanqued@beehaw.org to c/gdpr@sopuli.xyz

0 comments fedilink hide all child comments

Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.

Is that really necessary? They would probably argue that they need to send notifications that a new invoice has been prepared. I would argue that e-mail should be optional because:

They could send SMS notifications instead, if a data subject would prefer that.
They need not send any notification at all, in fact. Reminders is why calendars and alarm clocks exist. A consumer can login and fetch their invoice on a schedule. If a consumer neglects to login during a certain window of time, the data controller could send a paper invoice (which is what they must do for offline customers anyway).

They might argue that they need an email for password resets. But we could argue that SMS or paper mail can serve that purpose as well.

Does anyone see any holes in my legal theory? Any justification for obligatory email address disclosure that I am missing?

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here