If it's not exposed to the internet no problem.
Not true unfortunately under the GDPR nor it's predecessor, if the notes are publicly available:
Bodil Lindquist v Åklagarkammaren (2003)
Mrs. Lindquist (whose purposes were mostly charitable and religious) published on a private home page personal data about her colleagues, including telephone numbers and information about a coworker’s injured foot and medical leave. This case raised the question if a private home page accessible to only those who have the address is permitted under one of the exclusions (household activity). The European Court of Justice ruled that it is not.
Not true unfortunately under the GDPR nor it's predecessor, if the notes are publicly available:
Bodil Lindquist v Åklagarkammaren (2003)
Mrs. Lindquist (whose purposes were mostly charitable and religious) published on a private home page personal data about her colleagues, including telephone numbers and information about a coworker’s injured foot and medical leave. This case raised the question if a private home page accessible to only those who have the address is permitted under one of the exclusions (household activity). The European Court of Justice ruled that it is not.
Major privacy honeypot...enter your number, have it PRINTED ON THE WEBPAGE for millions of other visitors to see, add to spam lists etc, they could at least mask the number....
This is a big point of confusion. A background check will check the court records, where your convictions will still be listed (unless protected from disclosure e.g. California background checks generally don't show convictions > 7 years https://www.goodhire.com/california/background-checks).
A real con artist can just fake someone's ID, for them it's pretty trivial.
The issue is less than 1% of convictions ever make it to the Internet, and those people currently will be stigmatized forever, unlike the other 99%, unless they have this mechanism. Google's plea was 'we will self police, but we won't tell you how. We will ignore court orders, because we choose to'. The court objected to that approach.
If you are convicted of new crimes, no matter how long ago, then your sentence may be significantly increased as a repeat offender.
GDPR will have a massive effect no matter where you are. The trickle-down affects are key.
Many large companies do business with Europe. Many of them are implementing GDPR-like controls and/or adopting Privacy Shield. Other US companies doing business with them must adhere to the new vendor controls these US-companies have adopted, or lose that business.
Across the world, (e.g. Singapore, Philippines and Japan) Privacy laws are being re-written to align parts of local law to GDPR.
The US has limited privacy laws generally (e.g. dat breach notification laws in CA and MA), but has adopted specific protections depending on industry (HIPAA for healthcare, GLBA for Banking). More like likely occur.
While mankind has not needed a right to be forgotten previously, it didn't have the omnipresent Google to deal with either. These are just the opening shots in the Privacy battle that will spread from GDPR.
Other search engines are affected too, but Google has a massive market share and has a long litigation history in Europe.
Some of the factors that come into this include the very nature of criminal sentencing: A judge looks at the facts of the case, aggravating factors, previous convictions and sentencing guidelines, and determines an appropriate sentence.
Then along comes a search engine and doubly punishes someone in what may be a disproportional way; e.g. it's highly unlikely you will come across the convictions of John Smith when you google him, but when you look up someone with a non-common name, it may be the very first search result; disproportionally disadvantaging them for jobs, business and even dating partners.
The issue in this case was Google wanted to be the sole arbiter of what they would remove and what they would leave in, with no oversight from anyone. This would have crippled the GDPR even before it began.
That said, it's early days for the right to be forgotten.
This is a really good time for him to shut up and lawyer up.
The duty of the prosecution is to prove their case in court. The fact that they have seized his computer(s) and carried out forensics already, means they are looking hard for a conviction. If they freak him out with this sort of circumstantial evidence, he will say something, and it's never a good thing.
Legal precedent depends on jurisdiction and you haven't shared that.
Connecting to Tor is a 'fact'. What value that fact has is up to the prosecution to prove. Relevancy is key. Best to wait and see what they alleged happened and then challenge just those set of facts.
If he says nothing, they have a lot to prove. In many places in the US, they will come in with multiple felonies then accept all sorts of plea bargains as it drags on and on and on, like a bad used sales car man.
Start with the basics: Personal data (PD). The GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
How is the consumer (data subject) linked to the ID? aka how does a human prove ownership of the account (email address etc??) This is where your PD is.
The solution is pretty easy. You create a table where a user is mapped to an ID. Then you create the rest of the game just as normal, only using the ID.
You WILL need a privacy notice showing data subject rights and detailing what you are collecting and why, and other third parties that you share data with. Also how to contact you to enforce those rights. This should be on the website and wherever the game is (mobile app etc).
If there's a data request, you give them the mapping of their PD to your ID, and that's really it.
If they invoke their right to be forgotten, then you update that row of the table with something other than PD being mapped to the ID. Effectively, they are forgotten.
You can collect data once you tell them what data you are collecting and why, if you are relying on informed consent. They can either give it and play, or not give it and not play.
I wish they would give more clarity on what 'delete' means. Is it
a) It's deleted from your timeline etc
or
b) It is really deleted from Facebook's servers
If it's a) then that's either a 'hidden' toggle which does not meet GDPR needs. If it's a 'hidden' and do not process further, it is questionable (unless a right to be forgotten is invoked).
Also if it's a) then everything is discoverable by someone with legal authority, even years after you believe you have deleted it.
There is a process to be followed. If you have the response from the DPO and a reasonable suspicion based on evidence, you can absolutely to to the DPA. If your evidence is strong, that may proceed on that. If not but there are many other similar complaints, they can formally ask the company to 'clarify' issues....which is a very dangerous thing if you are a company that is evasive.
Most of the EU litigation has been against Facebook.
They have spent many millions in EU GDPR projects (such as the ability to download all records, which is in the news cycle right now).
Under the current legislation, they can be sued by each regulator in each country separately (this has happened to them multiple times). Under the GDPR, they will mostly be sued by just the Irish Data Protection Authority (other EU regulators will funnel issues to the Irish DPA first).
This is a key reason why there are data protection officers under GDPR. They report to the highest level of management (mostly the board) and are independent. They are also called mini-regulators. They ensure the company is compliant.
If they are not doing their job, (and you are not content with their reply), you then appeal to the Data Protection Authority (DPA, Privacy Regulator in the country). The DPA has full powers of subpoena (and a whole lot more), and are not to be trifled with.
For any company that is compliant with GDPR (after 25th May 2018), the answers your 4 questions (2 on data collection, other 2 on data subject rights) must already be in their privacy notice on their website, with instructions for how to contact their data protection officer.