New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
And again, this doesn't matter. Great, people should file a chargeback, but they have no obligation to tell you anything. They're not YOUR customer. As you keep telling us.
@VeloxMe>; @VeloxMedia said:
Definitely not true. You keep on thinking that you only have to be GDPR compliant in the EU for people that are customers in your eyes.
No you don't. You have to be GDPR compliant if you handle personal data. Either if those people paid you and are considered customers or not. Either if they have a contract with you or not. You have the data, you should be GDPR compliant. And the person who you have data from should be informed that you have the data and what you are doing with it.
But that’s not the way it works - it’s Christmas
It isn't required for 30 days and hasn't been 30 days.
Also we aren't certain it's required because we only need to notify customers of this and we aren't planning on converting them into customers until they renew their agreement or purchase services, which then invoice satisfies this. Until then we're not delivering any services or anything.
It's not a handover and the terms are vague. We're still waiting on our outside council to confirm all of this just to be certain we're in the clear.
GDPR doesn't apply to US data.
You are still a data processor under GDPR according to 4.2 - regardless of whether they are your customers or not.
So do you have that data processing agreement with Lewis?
Yes a NDA does prohibit this.
And 4.2 doesn't say anything about being required to store data for a period of time like you suggested.
"If we possibly have your data" WTF???
You have Lewis's entire WMHCS database. All of that is PII data.
You have all of the users actual data because otherwise you couldn't be providing the service.
AND NONE OF THAT GIVES YOU ANY RIGHT TO IT
Not only no obligation, you have no right to access it.
Same, same.
You are changing your story again. You've said before that you don't plan on informing the customers because you don't see the need for it.
You have their data. So you are obliged to inform. It's one of the basics of GDPR; if your "legal team" doesn't understand this, they're as usefull as a legal team as my mother is. And she's dead for quite a while now.
No, it's not vague and it is a handover. A handover is when someone else, not acting as the initial person/company, owns/processes the personal data.
And either you are another company or you are Lewis. In latter case, please admit now and we can go on. If not: there was a handover of data.
Please stop lying. It is not fraud for people not to inform you. You aren't party to the transaction or the chargeback.
No that’s not the way it works. In any case, you’re likely in breach of that NDA anyway with your previous disclosures on this thread around the nature of your agreement.
4.2 says storage is processing - timeframe is irrelevant. By taking over the live systems you are storing PII - and hence a data processor under GDPR. Your turn - find me something that says you’re not a processor. Surely your large legal team can do that?
Same story for over 70 pages now. 30 days is the rule and it hasn't been close to 30 days.
We're still working the details and waiting on the response from everyone on what to do. This only applies to EU users anyways.
Right. So, this is your final position? That none of Lewis' customers are your customers?
You have zero right to store Lewis' customers data or run their services. You are violating your responsibility to protect data privacy by doing so, and failing to abide with government regulations.
It's that simple.
Is that your final position? That you intend to continue retaining data you have no authorisation to hold?
And that is exactly why the GDPR exists - to give individuals the ability to choice which companies to deal with and willingly give consent to them to use their data for purposes they are fully informed about.
The EU values individual's rights above corporations. Corporations can use that data and make their billions, but only if the individuals consent to it.
Yes it is because otherwise they'll continue to receive service which is fraud. The problem is we're not a party to the transaction or the chargeback so must be notified.
Why are you making such a big deal of this. Pop a ticket and we delete the data. Problem solved
Wrong. If you have received data that you have no business justification to keep and no consent from the individuals, then you are breaking the GDPR regulations.
You are not compliant.
I'm glad you actually admitted this.
Word.
Correct, none of Lewis's customers are ours. But we have authorization to the data.
No that's not how the law works.
If you bought a bus, it doesn't come with all the personal information and data of the previous passengers.
You are not.
Lewis seems to be no longer keeping any of our data. If that's the case, he's not violating our privacy.
Ok, the only way you can have authorisation under GDPR would be a data processing agreement. So why do you keep saying you’re not a processor?
The entire premise that the data hasn't been classified as GDPR since it's US data and "the processing activities are related to offering goods or services to such data subjects" does not apply as we're not offering goods or services to them. (Recital 23)
Maybe you should get on your hotline with the legal team and get them to read up on the law and then inform you of the law.
If you didn't agree to taking the data and don't want to keep the data, there is a very simple remedy to that.
Yeah, Lewis was breaking the GDPR regulations.
The issue we are concerned about is YOUR violations.
Someone else breaking the GDPR regulations does not make it acceptable for you to continue to do so, especially when people have noticed and are informing you of those violations.
They are Lewis’ customers, Lewis is a UK sole-trader, and thus subject to GDPR and considered the data controller.
You are a data processor under GDPR and therefore it applies to you regardless of where you’re located.
It’s not your data - how could it then be US data?
Interesting as our legal team seems to agree that we're handling it fine and so does outside council who's liable for any issues. So I guess we'll see what happens
You just don't understand the law and we aren't happy with what you are doing to us.
We are upset with Lewis. We are also upset with you.
Clearly a lie - no outside council is ever liable
Yeah, I'm very suspicious of this other company. They are apparently a $5.6m a year company that specialises in paper. It's not owned by Eric.
I have no idea what they'd be doing pissing around with buying some exit-scam of a business from some dude in another country, that they knew to be losing money, and then having someone pretend to be the business owner with the backing of a legal team, but with all the business sense of a teenager.
Literally the only reason "Eric" has given us for this acquisition was some bullshit about vmware and solus. If they genuinely had all these VMware instances and wanted to migrate them to KVM, it'd be fair cheaper just to get their vast IT department to spend a couple of days learning how to do it, rather than buying some shitty not-even-a-company.
They're not Lewis's customers anymore they were his. I keep saying this. He's not a data controller, never registered.
Who's data is it?
How is it not US data?
Again the key here is we must be offering goods or services to people in EU which we are not. This is a MUST to even talk about GDPR as a US company.
No one has an agreement or anything with us if they do then they are GDPR compliant with us in a separate system and properly tagged if EU.
Are you in the US? This is the whole reason for hiring outside council. They stamp their guarantees on things so we can ensure liability. I'm assuming you don't do a lot of commercial contract law
This shows that you fundamentally don't understand the law.
You are both responsible for ensuring that you each protect every individual's PII. You can't just misuse someone's PII just because you obtained it via someone else's violation.
You can't "transfer" the responsibility. You both have the responsibility by virtue of holding that data.