My understanding is that it would be a GDPR violation if the email were truly unsolicited. In this case, it’s apparently possible to opt out of the emails, albeit in an inconvenient manner, so I’m not sure it count as a violation.
I got the impression that it was impossible to opt out. The only solution offered was to ask the ex-client - a third party - to change the settings. That is not opting out.
If it went to court, I’m not sure what the court would decide. The solution offered was indeed to ask the ex-client to change the settings. The GDPR requires that those controlling personal data must offer a way opting out. What I’m not sure about is whether Heroku would be seen as legally controlling the personal data. Perhaps the ex-client is the one who has this control and who must offer an opt out.
It would be interesting to know if any similar cases have already been judged.
I don't know if Heroku is the data processor or controller in this case, but I think it's the data processor. Let's suppose the ex-client is the data controller. The first thing is to tell the ex-client to change the settings, which doesn't seem to have been the case here.
If the ex-client does not change the settings (eg, perhaps from incompetence), and Heroku know about the issue, then are they obligated as a data processor to inform the ex-client that there is an GDPR violation? That's my reading of the last part of 28.3 GDPR.
And if that violation continues? ... I have no clue.
No idea either of if this relationship is covered under GDPR.
6 comments
[ 3.4 ms ] story [ 25.8 ms ] threadI don't know if Heroku is the data processor or controller in this case, but I think it's the data processor. Let's suppose the ex-client is the data controller. The first thing is to tell the ex-client to change the settings, which doesn't seem to have been the case here.
If the ex-client does not change the settings (eg, perhaps from incompetence), and Heroku know about the issue, then are they obligated as a data processor to inform the ex-client that there is an GDPR violation? That's my reading of the last part of 28.3 GDPR.
And if that violation continues? ... I have no clue.
No idea either of if this relationship is covered under GDPR.