Re: [MediaWiki-l] GDPR and contracts

the data is stored and processed in order to fulfil a contract. Less strict is not a good description. GDPR has many restrictions on how you collect and handle personal data. It however also has many reasons why you are legitimately allowed to deal with personal data. Added to that are the rights of the consumer (or rather EU citizens). GDPR is an interplay that balances these 3 things and it does so (as often with law, intentionally) a bit vaguely at times. The following allows you to collect a persons information: 1: Consent 2: Vital interests (ambulance, hospital etc) 3: Legal requirement (government tells you to collect it) 4: Contracts (Delivery address when you buy something online, or likely indeed copyright licensing something for public [re]use) 5: Public good (police) 6: Justifiable interests (personnel administration, without which your company cannot function) And these can overlap. Your requirements about how you are supposed to handle this personal data don't really differ greatly based upon these, however the rights that the user has MIGHT be influenced. For instance you can imagine that it is not realistic you demand that your name is removed from the personnel administration of your company (esp while you work there). That would be highly non-practical ;) Similarly, it likely doesn't need permission to disclose your name to all your fellow employees. Disclosing your birthdate to all your fellow employees might require the employee's consent however as that is not likely to be critical to how you operate your business. We can also see this vagueness and graduality at play in recent Right to be forgotten cases where ppl asked to be removed from Google results. The courts made a difference between repeat offenders (not removed) and a one time offender who showed remorse (removed). Same principles in EU law for both, yet different results. See also: https://www.nytimes.com/2018/05/07/opinion/google-right-to-be-forgotten-fir… What you should be doing is to create in index of the types of personal data that you collect, and build an argumentation / justification as to why you collect it, why you store it, how long, how technically and why/how rights of users might (not) apply etc. If you document that (Privacy Impact Assessment), actually do as you preach, you are transparent and are generally responsive to consumer requests, there it is unlikely you will get into trouble more than like an admonishment or something. That is because as a company, it is not about fully complying to every letter of GDPR, it's about "How well does your story add up". You have to rly F'up before they will fine you 4% of your yearly revenue. I advise everyone dealing with this to read the GDPR. I personally use https://gdpr-info.eu, which is a website by a consulting firm, but it is a nice interface that allows you to search and easily browse the specific law. If you are Dutch, the Autoriteit Persoonsgegevens has created a very understandable "In a nutshell" document is a good place to start as well. https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/avg_i… Just remember that whenever you see something that is "required by GDPR", that this is likely in one branch of the GDPR tree. There might be exceptions/other branches. There is not one universally applicable truth to GDPR. DJ All of this again not legal advise, get a proper lawyer and/or data protection officer ;) On Tue, May 29, 2018 at 6:09 AM Thomas U. Grüttmüller <sloyment(a)gmx.net> wrote: