
GDPR in Plain English - michaelbuckbee
https://blog.varonis.com/gdpr-requirements-list-in-plain-english/
======
BadCookie
So, if I understand this right, a dating website cannot ask you your sexual
orientation, hobbies, religion, or really anything that might be useful in
finding a match. Am I missing something? Can personal health forums not exist
for EU residents, since it's not "legally required" to collect health
information from forum participants? Either I'm not getting this, or it's
insane.

~~~
eecks
From what I understand, a website can ask you for anything but they need to
explicitly get consent (unlike say cookies policies) and they need to inform
the user what the data is used for.

In your dating example, the user agrees the company can use the data to get a
match. The company can't use the data for other purposes.

~~~
BadCookie
Well, that's not what Article 9 says, at least according to this source.

"Unless required by some other law (employment or real estate) – don’t collect
any data about race, politics, religion, union status, health data, sex life
or sexual orientation."

~~~
beojan
That's an oversimplification. You can collect it, but you have to be very
careful about securing it and not misusing it.

In the real world, those collecting this data are in fact generally misusing
it or storing it insecurely.

~~~
BadCookie
That makes more sense. Thanks for the explanation.

------
nabla9
If you remove "anything that you could conceivably use" to identify a user
from the data, is it exception to GDPR?

What if you store only unidentifiable data and enforce pseudonymity? There
would be still ways to connect data to a person using forensic techniques like
text analysis, but that would be hard.

~~~
rando444
There's always grey areas with everything, and something like this would
likely come down to a court decision.

Was the person who removed the PII acting in good faith and to the best of
their ability?

