I copied from and linked to the GDPR on the official database of EU law. There is nothing I could possibly say to someone who claims that that is wrong.
That the facts are downvoted and the “alternative” upvoted is either the result of manipulation or says something very horrible about this community.
alright, so, you DID copy the relevant legalise, yes, but you quite obviously didn’t read it carefully enough.
everything in your quote says what i said, and disproves what you said.
that’s just a fact and is why you are being downvoted: you said something nonsensical.
here’s how:
For the purposes of this Regulation:
self explanatory; no issues here.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
here’s our first issue: “natural person” is a legal term and means an actual, real life person.
a username (and therefore a user in general) is NOT a “natural person” in the eyes of the law.
your user account has no rights in the eyes of the law. you, the person reading, does. but those are two different things in law terms.
also “relating to an identified or identifiable natural person” does NOT mean “any data related to your user account”. it ONLY refers to data that can be used to identify you, the natural person.
i think this is where most of your confusion comes from:
if the data cannot be used to identify you, then it is not protected by the GDPR.
it’s that simple, really.
also important: this is about data, specifically.
so comments you make also are not covered by GDPR, because the GDPR only deals with systems data and personally identifiable information.
so your votes, for example, are NOT covered, because they can’t be used to identify a natural person.
in fact, nothing that the Fediverse platform sends anywhere falls under GDPR (afaik).
anything identifiable you put on the platform, you’ve put their yourself, and the GDPR doesn’t protect you from posting a picture of your own SSN. it doesn’t protect from doing dumb things, it only protects information you didn’t provide voluntarily.
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier […]
here is where i think the rest of your confusion lies:
it’s ONLY personally identifiable data, if, you know, it can identify you (the natural person)!
in layman’s terms that means this law ONLY applies, if your username can be used to easily acquire your real name. and ONLY then.
your IP address is not enough to identify a natural person precisely.
if you haven’t put your real name in your account description (which this law also doesn’t protect against, since that is voluntary on the users part), there is no way to correlate your username with your real name.
therefore the law doesn’t apply here.
[…] or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
this part pretty much just says that healthcare data, religion related data, club memberships, etc., are also personally identifiable information and therefore sensitive data.
mostly this means that using aggregate data to uniquely identify an individual is illegal.
so, for example, if some company has your age, general area, your gender, and your address, then it would be trivial to uniquely identify you, therefore that combination of data is also protected and classified as “sensitive information” which has to be handled in specific ways by law. (the details here aren’t important for the discussion, but it’s things like only store it encrypted, only locally/with certified providers, etc.; just a bunch technical details)
it’s also important to note that there are TONS of exceptions to the GDPR (which has made lots of privacy advocates very grumpy), so even IF data is personally identifiable, it may still be legal to process that data, of it falls under one of those exceptions and is clearly laid out in the privacy statement on the website.
now, if you can explain exactly where I’m wrong I’ll gladly admit to my shortcomings, but just going “nuh-uh! you’re wrong!” without any explanation is just plain rude.
I have trouble believing that you have been taught this nonsense. As far as I can tell, the term “PID” is not in use anywhere. That commercial site that you are so kindly helping sell its services doesn’t seem to use it. So who taught you that?
my work environment is german speaking. didn’t bother looking up the translation, since it’s perfectly understandable and clearly communicates the right idea either way.
anyone that in any capacity handles data - like, say, sys admins (hint, hint) - knows this term.
it’s not a surprise that it doesn’t show up in an article called “GDPR for dummies”, since the people familiar with the term won’t get much use out of that site.
it’s also an IT-term, not afaik a legal term, used as a kind of short hand for (extra) sensitive data.
(the site being “commercial” is also irrelevant. the information content is important. since you haven’t been able to decipher the legal text, i figured linking a more easily digestible site would be more convenient.)
as to “who taught me that”…i couldn’t say. it’s part of my job to stay up to date on legislation related to my job, same as for anyone else. we’ve had countless meetings about how to handle this sort of data internally, with consultants, and with other departments. we have, as we are required to by law, a data security officer (i think that’s the translation) that regularly sends updates, information, and requests/demands as to how to handle PII. like i said: it’s a big thing^tm in IT in general. it’s a topic that can easily fill a university lecture and then some. and it was a significant part of my certification process.
also, fun fact! if you type “personally identifiable data” into a search engine, the literally first result explains all of this and more!
isn’t that fantastic?? :D
P.S.: i specifically told you:
look up the parts you aren’t sure about.
soooo…you’re not very good at finding information that isn’t presented to you, evidently. maybe work on that a bit? just a suggestion…
I’m in the EU and PII definitely IS “a thing” here, because most IT professionals need to communicate in english at least some of the time and the US is the biggest market for software in the western hemisphere.
because of that most software companies from the US (like, say, Microsoft, Apple, and Google) use the term, which is why it is widespread over here as well.
and since translation errors are suuuper common in technical documentation from said companies, or there straight up isn’t any in non-english, most professionals read a lot of US-english documentation. which obviously uses PII instead of PD.
the specifics differ, yes, and the areas use slightly different terms (PII vs personal data), and yet those terms are, in fact, synonymous.
(and also: it is common courtesy on the internet to use the terms more people are familiar with if the terms are, for all practical purposes, interchangeable.)
do you need an explanation for what a synonym is too?
jfc, i don’t mean to be rude here, but how is it possible that this needs explaining??
just about ALL of this is common freaking sense???
I’m in the EU and PII definitely IS “a thing” here,
Then let me be more clear: It is not a thing in EU law.
With due respect, the level of intellectual functioning, in this case reading comprehension, you display is incompatible with being an IT professional in any country. If you are not trolling, then you should consult a physician.
PSA: Everything in the above post is wrong.
I copied from and linked to the GDPR on the official database of EU law. There is nothing I could possibly say to someone who claims that that is wrong.
That the facts are downvoted and the “alternative” upvoted is either the result of manipulation or says something very horrible about this community.
alright, so, you DID copy the relevant legalise, yes, but you quite obviously didn’t read it carefully enough.
everything in your quote says what i said, and disproves what you said.
that’s just a fact and is why you are being downvoted: you said something nonsensical.
here’s how:
self explanatory; no issues here.
here’s our first issue: “natural person” is a legal term and means an actual, real life person.
a username (and therefore a user in general) is NOT a “natural person” in the eyes of the law.
your user account has no rights in the eyes of the law. you, the person reading, does. but those are two different things in law terms.
also “relating to an identified or identifiable natural person” does NOT mean “any data related to your user account”. it ONLY refers to data that can be used to identify you, the natural person.
i think this is where most of your confusion comes from:
if the data cannot be used to identify you, then it is not protected by the GDPR.
it’s that simple, really.
also important: this is about data, specifically.
so comments you make also are not covered by GDPR, because the GDPR only deals with systems data and personally identifiable information.
so your votes, for example, are NOT covered, because they can’t be used to identify a natural person.
in fact, nothing that the Fediverse platform sends anywhere falls under GDPR (afaik).
anything identifiable you put on the platform, you’ve put their yourself, and the GDPR doesn’t protect you from posting a picture of your own SSN. it doesn’t protect from doing dumb things, it only protects information you didn’t provide voluntarily.
here is where i think the rest of your confusion lies:
it’s ONLY personally identifiable data, if, you know, it can identify you (the natural person)!
in layman’s terms that means this law ONLY applies, if your username can be used to easily acquire your real name. and ONLY then.
your IP address is not enough to identify a natural person precisely.
if you haven’t put your real name in your account description (which this law also doesn’t protect against, since that is voluntary on the users part), there is no way to correlate your username with your real name.
therefore the law doesn’t apply here.
this part pretty much just says that healthcare data, religion related data, club memberships, etc., are also personally identifiable information and therefore sensitive data.
mostly this means that using aggregate data to uniquely identify an individual is illegal.
so, for example, if some company has your age, general area, your gender, and your address, then it would be trivial to uniquely identify you, therefore that combination of data is also protected and classified as “sensitive information” which has to be handled in specific ways by law. (the details here aren’t important for the discussion, but it’s things like only store it encrypted, only locally/with certified providers, etc.; just a bunch technical details)
it’s also important to note that there are TONS of exceptions to the GDPR (which has made lots of privacy advocates very grumpy), so even IF data is personally identifiable, it may still be legal to process that data, of it falls under one of those exceptions and is clearly laid out in the privacy statement on the website.
now, if you can explain exactly where I’m wrong I’ll gladly admit to my shortcomings, but just going “nuh-uh! you’re wrong!” without any explanation is just plain rude.
read the text you copied carefully.
look up the parts you aren’t sure about.
understand what it is you are copy/pasting.
and then make a judgement on what i said.
here’s a handy summary of the GDPR in easy to understand language for you.
please read that carefully before posting more comments about the GDPR…
cheers,
a tired IT drone.
I have trouble believing that you have been taught this nonsense. As far as I can tell, the term “PID” is not in use anywhere. That commercial site that you are so kindly helping sell its services doesn’t seem to use it. So who taught you that?
slight mistranslation: apparently, the proper english term is “personally identifiable information” or “PII”.
my work environment is german speaking. didn’t bother looking up the translation, since it’s perfectly understandable and clearly communicates the right idea either way.
anyone that in any capacity handles data - like, say, sys admins (hint, hint) - knows this term.
it’s not a surprise that it doesn’t show up in an article called “GDPR for dummies”, since the people familiar with the term won’t get much use out of that site.
it’s also an IT-term, not afaik a legal term, used as a kind of short hand for (extra) sensitive data.
(the site being “commercial” is also irrelevant. the information content is important. since you haven’t been able to decipher the legal text, i figured linking a more easily digestible site would be more convenient.)
as to “who taught me that”…i couldn’t say. it’s part of my job to stay up to date on legislation related to my job, same as for anyone else. we’ve had countless meetings about how to handle this sort of data internally, with consultants, and with other departments. we have, as we are required to by law, a data security officer (i think that’s the translation) that regularly sends updates, information, and requests/demands as to how to handle PII. like i said: it’s a big thing^tm in IT in general. it’s a topic that can easily fill a university lecture and then some. and it was a significant part of my certification process.
also, fun fact! if you type “personally identifiable data” into a search engine, the literally first result explains all of this and more!
isn’t that fantastic?? :D
P.S.: i specifically told you:
soooo…you’re not very good at finding information that isn’t presented to you, evidently. maybe work on that a bit? just a suggestion…
PII is a concept from US law. It is not a thing in the EU.
I’m in the EU and PII definitely IS “a thing” here, because most IT professionals need to communicate in english at least some of the time and the US is the biggest market for software in the western hemisphere.
because of that most software companies from the US (like, say, Microsoft, Apple, and Google) use the term, which is why it is widespread over here as well.
and since translation errors are suuuper common in technical documentation from said companies, or there straight up isn’t any in non-english, most professionals read a lot of US-english documentation. which obviously uses PII instead of PD.
the specifics differ, yes, and the areas use slightly different terms (PII vs personal data), and yet those terms are, in fact, synonymous.
(and also: it is common courtesy on the internet to use the terms more people are familiar with if the terms are, for all practical purposes, interchangeable.)
do you need an explanation for what a synonym is too?
jfc, i don’t mean to be rude here, but how is it possible that this needs explaining??
just about ALL of this is common freaking sense???
Then let me be more clear: It is not a thing in EU law.
With due respect, the level of intellectual functioning, in this case reading comprehension, you display is incompatible with being an IT professional in any country. If you are not trolling, then you should consult a physician.
At least they choose the utmost ironic username for it.
that they certainly did! lol