Gitlab does not comply with GDPR(reddit.com)
reddit.com
Gitlab does not comply with GDPR
https://reddit.com/r/europrivacy/comments/8oymby/source_code_hoster_gitlab_is_not_respecing_the/
9 comments
GitLab has a strict opt in policy for processing personal information for marketing for all users, even in jurisdictions where opt in is not required. We very much respect the privacy of our users. With regard to services, consent isn't required since the personal information we process is necessary for providing the services. There seems to be confusion on what consent is needed for.
Regarding the displaying of public activity in your public profile:
While we don't use any page tracking or anything like Google Analytics (or equivalents like Piwik) in the application, nor the activity is generated from that, we understand that there are people who would prefer to not have that information publicly available: https://gitlab.com/gitlab-org/gitlab-ce/issues/38604
On the other hand, some would like to opt-in to provide even more information (in the form of the contribution calendar) to have their activity in private projects counted as well: https://gitlab.com/gitlab-org/gitlab-ce/issues/14078 (to match feature parity on how it works in GitHub).
We are listening and we intended no harm.
While we don't use any page tracking or anything like Google Analytics (or equivalents like Piwik) in the application, nor the activity is generated from that, we understand that there are people who would prefer to not have that information publicly available: https://gitlab.com/gitlab-org/gitlab-ce/issues/38604
On the other hand, some would like to opt-in to provide even more information (in the form of the contribution calendar) to have their activity in private projects counted as well: https://gitlab.com/gitlab-org/gitlab-ce/issues/14078 (to match feature parity on how it works in GitHub).
We are listening and we intended no harm.
I wonder how long before the GDPR starts to act AND if it will have teeth...
since a week the teeth are active and lawyers started to send out their letters. The two years with it being law without teeth are over.
How do you think they'll try to regulate a non EU company.
"Hey American incorporated company, we fine you EUR 150,000"
"K"
How would it be enforced?
"Hey American incorporated company, we fine you EUR 150,000"
"K"
How would it be enforced?
It can be enforced in multiple ways. For instance by going after the European ad business or just yesterday a ruling of the European Court of Justice was published stating that Europeans who run a "Facebook Page" take some of the responsibility http://curia.europa.eu/juris/document/document.jsf?text=&doc... (this s not about GDPR, but older rights, but shows how European organizations can go after US corps)
The plan is to use the big service providers ala Amazon, Google, MSFT, PayPal etc. to enforce GDPR compliance in the long run how well will it work in the long run is another question.
That said consent is not required under the GDPR it’s only one of the lawful bases for collection and processing.
A business interst or a contract are also valid reasons what they do need to provide is a policy that states what whey collect for what purpose and what is the lawful basis for it and that has to be done for each purpose e.g. marketing, billing etc invisibly.
As far as opt out goes then opt out only plays a role if you use consent as your lawful basis other bases do not implicitly require opt out; other allowances such as stop processing and right to be forgotten still have to be available unless there is a lawful basis to override them for example maintaining security logs or complying with local data retention laws.
You however need to be able to prove that you act in the best interest of the people and that is important since it’s not necessarily in the best interests on an invidual. For example you can justify retention of user data if users would have an expectation to be able to use it to make a criminal or civil complaint e.g. UBER, dating sites, AirBnB and the likes can use the public’s safety as a reason to deny certain implicit rights like the right to be forgotten.
This however can be mediated through the DPAs and the courts system in the EU.
That said consent is not required under the GDPR it’s only one of the lawful bases for collection and processing.
A business interst or a contract are also valid reasons what they do need to provide is a policy that states what whey collect for what purpose and what is the lawful basis for it and that has to be done for each purpose e.g. marketing, billing etc invisibly.
As far as opt out goes then opt out only plays a role if you use consent as your lawful basis other bases do not implicitly require opt out; other allowances such as stop processing and right to be forgotten still have to be available unless there is a lawful basis to override them for example maintaining security logs or complying with local data retention laws.
You however need to be able to prove that you act in the best interest of the people and that is important since it’s not necessarily in the best interests on an invidual. For example you can justify retention of user data if users would have an expectation to be able to use it to make a criminal or civil complaint e.g. UBER, dating sites, AirBnB and the likes can use the public’s safety as a reason to deny certain implicit rights like the right to be forgotten.
This however can be mediated through the DPAs and the courts system in the EU.
Do you think it should be enforced in this case? EU citizens can purchase services from companies that are present in EU if they want to be covered by EU laws.
They've most likely been mislead by very poor advice on marketing communications. Under GDPR a company can rely on "legitimate interest" as their lawful basis for processing for marketing purposes. However, this ignores the older PECR rules that say that electronic marketing requires consent.
Requiring users to agree to the a new privacy policy or updated terms and conditions is obviously still fine. GDPR does not restrict companies from requiring that their users agree to terms as part of their provision of services.
As far as I can tell from this post, the only problem is that GitLab have used the guidance for postal marketing when they're doing electronic marketing. Yes, it's not compliant, but references to the UDHR and the general tone of this suggest the user has a prior grievance and they're trying to over-inflate this issue.
Requiring users to agree to the a new privacy policy or updated terms and conditions is obviously still fine. GDPR does not restrict companies from requiring that their users agree to terms as part of their provision of services.
As far as I can tell from this post, the only problem is that GitLab have used the guidance for postal marketing when they're doing electronic marketing. Yes, it's not compliant, but references to the UDHR and the general tone of this suggest the user has a prior grievance and they're trying to over-inflate this issue.