If you remove "anything that you could conceivably use" to identify a user from the data, is it exception to GDPR?
What if you store only unidentifiable data and enforce pseudonymity? There would be still ways to connect data to a person using forensic techniques like text analysis, but that would be hard.
So, if I understand this right, a dating website cannot ask you your sexual orientation, hobbies, religion, or really anything that might be useful in finding a match. Am I missing something? Can personal health forums not exist for EU residents, since it's not "legally required" to collect health information from forum participants? Either I'm not getting this, or it's insane.
From what I understand, a website can ask you for anything but they need to explicitly get consent (unlike say cookies policies) and they need to inform the user what the data is used for.
In your dating example, the user agrees the company can use the data to get a match. The company can't use the data for other purposes.
Well, that's not what Article 9 says, at least according to this source.
"Unless required by some other law (employment or real estate) – don’t collect any data about race, politics, religion, union status, health data, sex life or sexual orientation."
7 comments
[ 2.9 ms ] story [ 24.5 ms ] threadWhat if you store only unidentifiable data and enforce pseudonymity? There would be still ways to connect data to a person using forensic techniques like text analysis, but that would be hard.
Was the person who removed the PII acting in good faith and to the best of their ability?
In your dating example, the user agrees the company can use the data to get a match. The company can't use the data for other purposes.
"Unless required by some other law (employment or real estate) – don’t collect any data about race, politics, religion, union status, health data, sex life or sexual orientation."
In the real world, those collecting this data are in fact generally misusing it or storing it insecurely.