Does GDPR affect companies selling data? I did not give consent to another company to have my data for the means of debt collection? How do they get data without consent with GDPR?
Not sure what you’re getting at, but, as a generalisation, GDPR affects all organisations that use or store personally-identifiable information in all the countries that have signed up fo it. I am not sure about this, but there is no blanket ban on acquiring data, just using it and storing it. And selling data is a use, so it is meant be covered by the seller’s data and privacy policiesAt a more practical level it is then up to each country’s ICO (Information Commissioner’s Office) to then set guidelines, procedures, and enforce the rules. No (or pointless) ICO means no enforcement.Having said that, there’s plenty of personally-identifiable information flying around under allowed exceptions, for example, for law enforcement, or some not-entirely-watertightly-specified Government uses. The exchange of information for debt collection purposes might have been OKed by a court, alternatively, many privacy and data use policies (that you almost-certainly OKed) do have paragraphs covering the use of data by third parties for things like debt-collection and law-enforcement.You still have the right to request (or be pointed at) the data privacy and data use policies of the organisations you’re worried about. Always assuming you have an ICO in your country that enforces the rules - I don’t know which country you’re in.Question as originally answered: Does GDPR affect companies selling data? I did not give consent to another company to have my data for the means of debt collection? How do they get data without consent with GDPR?
How will GDPR affect the storage of flagged/banned Euro IPs to prevent malicious users? Should they be asked for consent too?
The answer to this appears to be ‘probably’. So far as I can see from a quick search on Google, so far, where the question has come up, the EU has ruled that in certain circumstances, an IP address can be considered personal data. However, as blocking an IP address to stop a malicious user is about as effective as using a wall made of tissue paper to barricade against a flood, you may as well just delete them.IPs can be changed in about 30seconds.
How do I avoid being bullied into consenting to GDPR?
You do not have to consent to anything you do not want to.Under GDPR Art. 77 you have the “Right to lodge a complaint with a supervisory authority”. As far as I know, every EU member state should have a supervising authority which you can contact if you feel like your rights under GDPR are infringed upon.You can read more here : How do I avoid being bullied into consenting to GDPR?P.S : I am not a lawyer, so please take my answer only as my personal opinion.
What are all the data that need to be stored as proof of consent for GDPR?
It’s a endless debate because it depends a lot on the situation, let me explain the systems you can use, and which you will choose depending on you case. Also note one thing : user consent is not needed in all situations, it’s only needed in very specific situations like marketing - for e-commerce transaction you don’t need it for example (look at article 6 of GDPR for more on that).The possible systems to track user consentSo it comes down to two possibilities when you’re working on the web :either you track the process by which the user consent (a copy of the webpage and the button he clicked so we can see how was the button basically)or you track the consent itself (the data in the db that tracks the consent)You could also ask email or phone confirmation for example if you have the possibility to get out of the web, but let’s keep ourselves web only.As a general idea, keeping a proof of the process by which the user had to go through is probably more useful than keeping track of the consent itself (a checkbox checked on a database).Which system should you use and why ?Now we have to make a choice, and this choice depends on one thing : how risky your situation is ?Why am I brining risk ? because if there’s more at stake you’re going to want to protect your organisation much more.So for example if you’re asking consent for sending a newsletter you’re sending about gardening, I’d go for keeping track of the process itself because it’s low risk situation.However the situation is completely different if you’re collecting data to sell an insurance contract. Why ? because the risks of getting sued is higher and there’s just more at stake. So every little detail will count much more.Quick practical adviseDon’t obsess too much about the consent and how to track it. In real life what you should work on is make sure users actually agree with what you’re really doing , and make sure you’re not doing fishy things behind. If the process is clear (yes you subscribe to my newsletter and i’m going to send you commercial offers), you will have little problems. On the other side, you will have a TON of problems if you record the user consent and do completely different things on the backend than what he thought he agreed on…
How does an airline ticket booking agent issue a ticket to walk-in passenger and ask for consent accordingly to GDPR?
The Airlines will be fully compliant with GDRP EU regulations. They do not need your consent, only to assure you that all your information is protected under the regulations. (Example, they cannot hold onto your information more than 90 days, etc, unless you agree. Loyalty points systems would require your consent.)One more thing, GDRP does not protect your information from government review and inspection for the purpose of Customs and Immigration review, acceptance or rejection.Have a nice flight!
