General Data Protection Regulation (“GDPR”) ⚖

I have filed several GDPR art.77 complaints. Every,single,complaint → mothballed.

Ireland has their own data protection act which largely mirrors the GDPR. I first have to wonder why. Why rewrite an EU regulation, if not to do something twisted? IIUC, Ireland is part of the EU thus automatically obligated to enforce the full GDPR as-is. (Unlike Great Britain, who left the union but decided voluntarily to keep the GDPR, so they had to mirror it and rewrite some parts that are irrelevant to an EU outsider). Or is Ireland somehow outside the EU too, yet with the Euro?

If you’re not in Europe, move along. You’re stuffed and this thread can’t¹ help you.

Art.22 ¶1 declares:

Many data protection authorities are deadbeats. They do the legal minimum, which is to accept complaints, file them, and acknowledge them. Then do nothing. So stale cases just rot.

As I mentioned in another post, many data protection authorities are deadbeats. Knowing that my Art.77 complaints are in vain, my question is how the complaints might be made useful. Suppose we just use the DPA as a prop. We file an Art.77 complaint and CC the data controller a copy of the complaint.

Many member states a daft when it comes to GDPR enforcement. But there are an exceptional few member states that have a Data Protection Authority that actually does their job. E.g., in principle, I might want to file all Article 77 complaints in Norway. Of course, without living there and having no transaction there, it’s outside of the jurisdiction.

Suppose you have the following parties to an email conversation: * badDebtorOffice@douchebank.com (alias for bdo@douchebank.mail.protection.outlook.com) * alice@freedomRespectingProvider…org

I read somewhere that GDPR requests for restricted processing (Art.18) cannot be combined with any other topic or request. E.g. If you request that they not use your e-mail for marketing purposes.

Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.

People are often told if their data is published, they have no expectation of privacy. But I found an interesting gem in the EDPB Guidelines of 04/2019 which counters that to some degree:

Just a pro tip if you want to build a case against a data controller: when they ignore your GDPR request, don’t simply send them a reminder. Instead, send them a new Article 15 request demanding records on how your previous request was handled. This way when you build a case against them, you can tack on yet another Article 15 violation when they also ignore your request for information about how they handled your request.

This is a seriously big loophole. Paraphrasing the various positions:

I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one.

The GDPR has some rules that require data controllers to be fair and transparent. EDPB guidelines further clarify in detail what fairness and transparency entails. As far as I can tell, what I am reading strongly implies a need for source code to be released in situations where an application is directly executed by a data subject and the application also processes personal data.

The #GDPR protects everyone inside the EU (regardless of citizenship) + also EU citizens who are outside of the EU.

In answering this question, this seems to be relevant: