GDPR related questions

A few stupid questions Google hasn't been really clear about:

1)
Is using Gmail considered GDPR compliant?
Without having all the emails stored on Gmail decrypted (but using TLS for sending & receiving of course).

2)
Is Cloudflare considered GDPR compliant (when not used just as a DNS)?
Is it OK when used only as DNS (again - I understand it's a lawyer territory, so apologies for the stupid question)?

@Ympker I believe you've had a lot of practical experience on this and from what I've gathered some lawyer feedback on the topic. Since I think this is a lawyer (i.e. not technical & common sense) territory.

3)
Is using a hosting server outside of EU considered GDPR compliant (again - if using TLS plus encrypting any private-related data)?

BikeGremlin I/O
Mostly WordPress ™

Comments

  • Ignore GDPR.
    Inject a message "if you are an EU citizen please disconnect now" in the IP extension fields of the TCP SYN+ACK packet.
    If they don't listen, it's their problem.

    Thanked by (1)vyas
  • @bikegremlin said:
    A few stupid questions Google hasn't been really clear about:

    1)
    Is using Gmail considered GDPR compliant?
    Without having all the emails stored on Gmail decrypted (but using TLS for sending & receiving of course).

    Yes Gmail is GDPR compliant

    https://cloud.google.com/privacy/gdpr

    2)
    Is Cloudflare considered GDPR compliant (when not used just as a DNS)?
    Is it OK when used only as DNS (again - I understand it's a lawyer territory, so apologies for the stupid question)?

    https://www.cloudflare.com/en-gb/gdpr/introduction/

    @Ympker I believe you've had a lot of practical experience on this and from what I've gathered some lawyer feedback on the topic. Since I think this is a lawyer (i.e. not technical & common sense) territory.

    3)
    Is using a hosting server outside of EU considered GDPR compliant (again - if using TLS plus encrypting any private-related data)?

    It depends... It what they collect on data, what they share and many thing more....

  • @yoursunny said:
    Ignore GDPR.
    Inject a message "if you are an EU citizen please disconnect now" in the IP extension fields of the TCP SYN+ACK packet.
    If they don't listen, it's their problem.

    Please GPDR is better than the current American **** have. Even California is switching over to a more strict rules...
    https://oag.ca.gov/privacy/ccpa

    The only issue is that some rules are stupid mainly accepting those cookie *** message boxes.

  • @jaapmarcus said: Please GPDR is better than the current American **** have. Even California is switching over to a more strict rules...

    https://oag.ca.gov/privacy/ccpa

    The only issue is that some rules are stupid mainly accepting those cookie *** message boxes.

    What're you going to do if California claims jurisdiction over you?

  • I feel like this GDPR thingy will prevent us from going to the space.

    Thanked by (1)bikegremlin

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

  • vyasvyas OGContent Writer
    edited October 2021

    @yoursunny said:
    Ignore GDPR.
    Inject a message "if you are an EU citizen please disconnect now" in the IP extension fields of the TCP SYN+ACK packet.
    If they don't listen, it's their problem.


    Someone accidentally or intentionally visits your house and rings doorbell. You first send them a message: "If you are a visitor from a different country, we will try and comply by your country's rules. our local laws be damned."
    We will also delete any records of your visit should you so desire.

    That is what a gdpr notice practically is.

    By extension, is LES GDPr compliant?

    EU and US/California lawmakers can shove GDPR/CCPA up their rear ends. Instead of shoving it down the throats of service providers/ webhosts etc.

    VPS reviews | | MicroLXC | English is my nth language.

  • bikegremlinbikegremlin ModeratorOG
    edited October 2021

    I could go on and on why GDPR, especially the way it's practically enforced, is crap.
    But this is a project that must be 100% GDPR compliant, and include a website and a mailing list.

    @vyas maybe a forum must allow any member to request having all their posts & data deleted in order to be GDPR compliant. If that is the case - it's a great push towards corporate-owned (the real data gathering) social networks.
    Likewise, I wouldn't be amazed if even forums have to designate a person that will be a contact, who provides "a full list of all the data LES has on a member making a query." It's beautiful! :)

    BikeGremlin I/O
    Mostly WordPress ™

  • @bikegremlin said: But this is a project that must be 100% GDPR compliant, and include a website and a mailing list.

    two things to do here:

    a) check if and how all vendors you use and which potentially handle personal data of your clients and visitors, are GDPR compliant themselves, like Jaap pointed to

    usually all bigger vendors will have something about it, if not ... probably better not use it.

    b) the project itself needs to fulfill the gdpr requirements, like having a data protection officer and even more so declare everything in a privacy policy statement as well as handle the cookie stuff.

    it really comes down to the question of which (personal) data you handle after all. if you have a static website on IPv9 hosted at south pole without any third party tools and no tracking crap and no logging, you're most likely GDPR compliant per sé. easy, right, RIGHT?

    Thanked by (1)bikegremlin
  • @Falzo said:

    @bikegremlin said: But this is a project that must be 100% GDPR compliant, and include a website and a mailing list.

    two things to do here:

    a) check if and how all vendors you use and which potentially handle personal data of your clients and visitors, are GDPR compliant themselves, like Jaap pointed to

    usually all bigger vendors will have something about it, if not ... probably better not use it.

    b) the project itself needs to fulfill the gdpr requirements, like having a data protection officer and even more so declare everything in a privacy policy statement as well as handle the cookie stuff.

    it really comes down to the question of which (personal) data you handle after all. if you have a static website on IPv9 hosted at south pole without any third party tools and no tracking crap and no logging, you're most likely GDPR compliant per sé. easy, right, RIGHT?

    I get conflicting feedback from the "GDPR compliance lawyer" - the problem is, for now, most feedback comes through the client.

    Anyway - got their answer on Google - practically saying it's an evil monster. OK, we all know that, but I thought my job was to implement what works in compliance with GDPR. With this line of reasoning - I'll just work with whatever the "GDPR expert" says is acceptable - making the best with what's available. Far from the fastest, cheapest, or even safest solution, but it's not my business to tell people what to do - as far as I go is recommended.

    Hence, related to this project, this thread is no longer relevant (unfortunately). But I think it's a good idea to share thoughts and experience, for any projects that aren't as lawyer-run (they still exist, no?).

    Thanked by (1)Falzo

    BikeGremlin I/O
    Mostly WordPress ™

  • @bikegremlin said: With this line of reasoning - I'll just work with whatever the "GDPR expert" says is acceptable - making the best with what's available. Far from the fastest, cheapest, or even safest solution, but it's not my business to tell people what to do - as far as I go is recommended.

    yes. that's the way to go. client has to kill it with money eventually.

    Thanked by (1)bikegremlin
  • @jaapmarcus said:

    @Ympker I believe you've had a lot of practical experience on this and from what I've gathered some lawyer feedback on the topic. Since I think this is a lawyer (i.e. not technical & common sense) territory.

    3)
    Is using a hosting server outside of EU considered GDPR compliant (again - if using TLS plus encrypting any private-related data)?

    It depends... It what they collect on data, what they share and many thing more....

    Processing data =/= hosting data.
    GDPR does not allow you to host data outside of the EU.

    Thanked by (1)bikegremlin
  • @Mew said:

    @jaapmarcus said:

    @Ympker I believe you've had a lot of practical experience on this and from what I've gathered some lawyer feedback on the topic. Since I think this is a lawyer (i.e. not technical & common sense) territory.

    3)
    Is using a hosting server outside of EU considered GDPR compliant (again - if using TLS plus encrypting any private-related data)?

    It depends... It what they collect on data, what they share and many thing more....

    Processing data =/= hosting data.
    GDPR does not allow you to host data outside of the EU.

    Not arguing - the questions aren't rhetorical, but intended to confirm & clarify:

    Does that make Amazon cloud (unless restricted server locations are used) and Gmail for that matter (if emails with any data/info are saved) not GDPR compliant?

    Linkedin, Facebook, YouTube - do they only store EU customer data on EU located servers?

    This is for laughs (not a serious question):
    Could we sue them? :)

    BikeGremlin I/O
    Mostly WordPress ™

  • @bikegremlin said:

    @Mew said:

    @jaapmarcus said:

    @Ympker I believe you've had a lot of practical experience on this and from what I've gathered some lawyer feedback on the topic. Since I think this is a lawyer (i.e. not technical & common sense) territory.

    3)
    Is using a hosting server outside of EU considered GDPR compliant (again - if using TLS plus encrypting any private-related data)?

    It depends... It what they collect on data, what they share and many thing more....

    Processing data =/= hosting data.
    GDPR does not allow you to host data outside of the EU.

    Not arguing - the questions aren't rhetorical, but intended to confirm & clarify:

    Does that make Amazon cloud (unless restricted server locations are used) and Gmail for that matter (if emails with any data/info are saved) not GDPR compliant?

    Linkedin, Facebook, YouTube - do they only store EU customer data on EU located servers?

    This is for laughs (not a serious question):
    Could we sue them? :)

    @Ympker know german lawyers LES vs Bezos and Zuckerberg

    Thanked by (2)Ympker bikegremlin

    Dentistry is my passion

  • YmpkerYmpker OGContent Writer

    @Chievo said:

    @bikegremlin said:

    @Mew said:

    @jaapmarcus said:

    @Ympker I believe you've had a lot of practical experience on this and from what I've gathered some lawyer feedback on the topic. Since I think this is a lawyer (i.e. not technical & common sense) territory.

    3)
    Is using a hosting server outside of EU considered GDPR compliant (again - if using TLS plus encrypting any private-related data)?

    It depends... It what they collect on data, what they share and many thing more....

    Processing data =/= hosting data.
    GDPR does not allow you to host data outside of the EU.

    Not arguing - the questions aren't rhetorical, but intended to confirm & clarify:

    Does that make Amazon cloud (unless restricted server locations are used) and Gmail for that matter (if emails with any data/info are saved) not GDPR compliant?

    Linkedin, Facebook, YouTube - do they only store EU customer data on EU located servers?

    This is for laughs (not a serious question):
    Could we sue them? :)

    @Ympker know german lawyers LES vs Bezos and Zuckerberg

Sign In or Register to comment.

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings