this post was submitted on 07 Jan 2024
61 points (93.0% liked)
Asklemmy
43945 readers
589 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If the site services the EU and does not have a privacy policy it’s downright illegal according to the GDPR.
Art. 14 GDPR, “Information to be provided where personal data have not been obtained from the data subject”:
https://gdpr-info.eu/art-14-gdpr/
Is it just me or does this not make sense? It says you must declare the purposes of the processing for which personal data are intended, but this is under the section for when no personal data is collected. How does that work?
Reads to me like data that I (data subject) did not provide myself, but that the processor collects. I guess an example could be IP address.
That's what we've been taught at work, and also my general understanding of it.
You don't need a policy or a banner if you don't need to inform and gather consent from the user. It's just that nearly everyone does, so nearly everyone needs one. And big companies can't even begin to imagine one would not collect any data at all. So Google and Apple both require a policy to publish an app, even if it just says "we don't collect anything".
It may reassure users however to be explicit that you don't collect anything, since now people assume the worst about everyone, especially when there's some form of company involved.
But if your site is just static HTML, there's no user accounts and you don't collect any statistics and have server logs turned off, you're not collecting or processing any personal data. So you're good. You can't be sued for processing data you don't have.
Companies also tend to prefer to side with caution: you're better off doing more than is strictly required than risk a lawsuit. The GDPR is pretty vague, so you might as well have one to cover your ass.
IP addresses are seen as personal data. So if you're a sane person who does logging and analyzes the result, you need a privacy policy.
If you embed external fonts/scripts/images/etc. you also need one.
Are they? I would have thought that the IP address of someone accessing a site is public information.
IP addresses are considered personal data.
https://gdpr-info.eu/issues/personal-data/
The whole article is a great read, btw.
"Personal data" (and thus the protection of it and how organizations servicing EU citizens have to handle them) is much, much, much, more than just your name.
I kinda think that the IP address is public information when you go to a site still. Since it's needed to get data back to you and you're requesting to get data back. But maybe I'm just a bit too old and stuck in the thinking of the phone book and such.
More generally any personal data obtained from a third party. E.g. if you're generating a credit score you might contact someone else with a record of financial transactions.
Yeah, that sounds even better.
It's EU garbage. The answer is that it doesn't work and is designed to fuck people over
Found someone salty that their site didn’t comply and is big angy about having to clean it up and stop being shady 😏
There's nothing shady about ignoring what eurotrash politicians want.
Yeah, nothing shady about ignoring the law, right.
To be fair, depending on your interpretation of "shady" I'm pretty sure you can find a lot of laws most people wouldn't describe someone ignoring to be doing anything shady. ( I think that sentence should make sense)
Correct. There's nothing shady about ignoring retarded laws for an irrelevant jurisdiction
'murica! Fuck yeah! Best country in the world. Everyone else is irrelevant. Freedom!
wut?
That section is only applicable if personal data has been obtained by some means other than from the data subject. If a site doesn’t collect or process any personal information, period, then that section (and the rest of the GDPR) isn’t applicable.