New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This should be pinned every page this thread has.
Any update on the FBI thing?
Maybe we could petition @FAT32 to add it as a banner at the top of every page in the thread! He'd probably agree to it if he was allowed to add a fireworks effect every time someone started a reply.
Paragraphs 1 to 4 shall not apply where and insofar as:
the data subject already has the information;
None of the information has changed.
We didn't remove or change any information as Lewis wasn't registered with ICO nor had any info. We just added info.
Also again 30 days.
And again since we don't provide goods or services it doesn't need to be GDPR since it's in US
You have data from UK/EU customers = You need to be GDPR compliant.
Velox Media, where we reject reality, and substitute Our Own™
There are 3 laws involved in this: UK GDPR, PECR, and consumer protection law.
GDPR:
You can transfer the customer information together with the services, but you will have to inform the customers, and give them the option to cancel.
When you are letting services expire in the UK business and offer new services in the new US company, it's not a continuation of service.
It's new processing, for marketing purposes, by a new controller, in a different jurisdiction. That can't usually rely on the original “legitimate interests” justification.
If customers were not explicitly informed that their data would be transferred to a US entity, that entity would independently market to them, and that services might not continue automatically, then this is a breaches in itself.
PECR:
Under PECR, electronic marketing (email, SMS, etc.) generally requires prior consent, unless the soft opt-in applies.
But soft opt-in doesn't apply, because the US company is a different legal entity and the original company relationship has ended.
That makes the marketing itself likely unlawful, regardless of the data transfer legality.
Consumer law:
And then there is the consumer laws that makes the "cherry picking" of consumers unlawful. B2B isn't protected in the same way.
It could have been done legitimately, but that would have required transferring all customers, contracts, and services, and only then letting them expire or offering new terms through the acquiring company.
And since it's UK/EU customers you will still have to be GDPR compliant in the US company.
I think US has its equivalent law too. So...
The case is logged and available on CISA. They don't really care since not a breach and just network attack. But they have all the logs and approval from us to work with HE and got what they need.
We did find some things and can't really discuss
Says what? Here's the specific law on what needs to be compliant. I don't provide goods or services to them.
Again we are GDPR compliant for our EU customers.
https://gdpr.eu/Recital-23-Applicable-to-processors-not-established-in-the-Union-if-data-subjects-within-the-Union-are-targeted/
I dont know where you are GDPR compliant, have you informed the users that you are the new owner? Have you informed that the Brand is now from the US? I dont see that.
Please cite the cherry picking laws you're referring to.
We aren't the new owner.
Should we take bets on how much longer until we're no longer suspended on here???
What's the complaint going to be then?
Is VPS not a service?
Please cite
dont make me laugh, who is then?
Do you know that GPT can help sometimes?
Below are the specific legal instruments and provisions that correspond to each point you raised. I’ve grouped them by legal regime and cited the relevant articles / regulations / sections, with short clarifications so the linkage is explicit.
1. UK GDPR (and retained EU GDPR concepts)
a. Transfer of customer data with services; duty to inform and right to object / cancel
UK GDPR Article 13(1)(e) & 13(1)(f)
Obligation to inform data subjects of:
UK GDPR Article 14(1)(f)
Same obligation where data were not obtained directly from the data subject.
UK GDPR Article 21(1)
Right to object to processing based on legitimate interests, including where personal data are transferred as part of a business transaction.
UK GDPR Article 6(1)(f)
Legitimate interests requires a balancing test and transparency; silent transfer to a new controller undermines this basis.
ICO guidance: “Data protection and business sales”
Confirms customers must be informed and given an opportunity to object where appropriate.
b. Expiry of services and offering new services = new processing
UK GDPR Article 6(4)
Further processing must be compatible with the original purpose.
New services by a new legal entity in a new jurisdiction typically fail the compatibility test.
Recital 50 UK GDPR
Further processing for a new purpose requires a separate lawful basis where compatibility does not apply.
c. New controller, new jurisdiction, marketing → legitimate interests usually unavailable
UK GDPR Article 4(7)
Defines controller — a new legal entity is a new controller.
UK GDPR Article 6(1)(f)
Legitimate interests does not apply where data subjects would not reasonably expect the processing.
Recital 47 UK GDPR
Reasonable expectations of the data subject are central to legitimate interests; undisclosed transfer to a US marketer fails this test.
d. Transfer to the US without proper disclosure = breach
UK GDPR Chapter V (Articles 44–49)
International data transfers require:
UK GDPR Article 44
Any transfer to a third country must comply with GDPR principles in addition to transfer mechanisms.
Failure to inform customers that:
→ breaches Articles 13/14, 5(1)(a) (fairness and transparency), and 6.
e. Continued GDPR applicability to UK/EU customers from a US company
UK GDPR Article 3(2)
Extraterritorial scope: applies to non-UK entities offering goods or services to UK data subjects.
EU GDPR Article 3(2) (if EU customers are involved)
Same extraterritorial reach.
2. PECR (Privacy and Electronic Communications Regulations 2003)
a. Consent requirement for electronic marketing
Prohibits unsolicited marketing emails/SMS to individuals unless prior consent is obtained.
b. Soft opt-in and why it fails here
Regulation 22(3) PECR
Soft opt-in applies only where:
A different legal entity = not “the same person”.
Explicitly states soft opt-in cannot be transferred to another company.
c. Marketing unlawful regardless of transfer legality
Even if the data transfer were lawful under UK GDPR, marketing without valid PECR consent is still unlawful.
3. Consumer Protection Law
a. Cherry-picking customers / unfair commercial practices (B2C)
Key provisions:
Selective transfer of “valuable” consumers without transparent disclosure can amount to a misleading omission.
b. Continuity of contracts and services
Consumer Rights Act 2015
Ending services while using customer data to sell replacements through another entity risks breaching these provisions.
c. B2B distinction
(though GDPR and PECR still may, depending on context).
4. How it could have been done lawfully (legal basis)
Your conclusion aligns with:
A full business transfer (customers, contracts, services) followed by lawful variation or expiry would have avoided most of these issues.
If you want, I can:
Again, this says the complete opposite of what you think it says. You really should ask your lawyers to re-read this if you think this absolves you of responsibility. The sole purpose of this section is specifically to make sure it covers cases like this.
And really, as I said before, following the GDPR benefits everyone.
If these people are not your customers, you have no reason to have their data. Why exactly are you fighting so hard to keep their data when they're not your customers?
You clearly don't have any clue what you're even quoting.
This section is describing the scope of the data that you must acknowledge holding when a data subject requests from you a copy of all data you hold about them.
You seriously need to get some decent lawyers.
i really need to laugh, he cant be really serious
Sounds like he thinks they can transfer the customer data under “processing on behalf of” terms and then use it as their own for whatever they want under US law.
This reflects a common misconception that customer data can be freely repurposed once transferred, regardless of the original legal framework.
We don't provide this. It was already provided by lewis, we just haven't disabled it yet
Have you checked your signature, Dont you provide VPS?
Or you need 30 days to change it as well?
Fucking christmas man, never ends.
This man is an entire joke.
There isn't one. He left. We're a completely new company.
A new company doesnt have an owner? Or should i call it a CEO? Good to know.