http://www.eugdpr.org/the-regulation.html
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic fromat. This change is a dramatic shift to data transparency and empowerment of data subjects.
I’ve seen a couple of people ask if Plex can provide examples of what they will be collecting after the change. You don’t have to rely on their mercy, EU customers are able to request/get a copy of all personal data associated to their account.
Consent
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
With the new GDPR introduced in 2016 it’s no longer enough to send out an email outlining the changes. Plex needs to get specific consent (asking for it) for data they collect.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf, p.18
Also a single simple check box with “I agree to the changes” after login is not enough. They need to get consent for each change while also outlining why they are collecting it.
The outlined reason for collecting the data can’t change after the consent without additional notification:
Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf, p.38
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing,whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf, p.42
Privacy Policy section E "We may use information related to your usage to run and improve our Services, to provide, customize, and personalize communications and other content that we deliver or offer to you. " combined with no option to opt out could be a breach of Recital 70.
Increased Territorial Scope (extra-territorial applicability)
The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.
Let me know if there are additional clauses, laws in other countries etc., I’ll add them here.
