Private messages, notes and such are usually excepted(in the vast majority of cases). Giving out someone else's messages or notes, however...
> This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
You most likely have rights to access messages and notes about your account and person in CRM. Or directly related to it.
On other hand you likely do not have right to get all emails or chat messages even if your name is mentioned. As this is not discovery like in legal process.
Indeed that's how I read it too. It's also worth noting that GDPR is implemented separately in each country so it can in fact differ quite a lot country to country.
Another case of people thinking that GDPR is a magic word that can make any wish come true.
> I replied with a (not so-friendly) email pointing out that I was entitled to a copy of any messages because they contain my personal data.
Hum, no? You are entitled to a copy of the data that you provided to the data processor. Your messages, your records, even your IP address for the sessions on your devices.
A message that someone mentions you is not your data.
I don’t think that’s correct? Section 39 doesn’t say anything about data you’ve provided, but data that’s collected: the onus is on the data processor to process data in a legitimate way.
I don't believe the "I'm entitled to all messages discussing me because of the GDPR" is correct, though the UK GPDR may be different in a way I don't know about.
It's an interesting take (what is "data" anyway? does it include "the CEO thinks <person> is a dick" if that record is kept on company infrastructure?) but I don't think it'll hold up in court. If the author decides to press the ICO to take action, perhaps we may find out one day.
That said, scraped data about you definitely falls under GDPR protections even if you never provided any data yourself.
Imagine I am in a dating site and want to find out all the people that expressed interest on me. I go then and file a GDPR request, claiming that those that mentions of me is "data collected about me" and therefore I am entitled to it.
Someone talking about you, or references about your PII are not PII themselves. To try to claim otherwise is absurd.
Natwest/Coutts gave Nigel Farage internally generated documents about him in response to a subject access request (according to this and my memory of other reports https://news.sky.com/story/key-points-from-coutts-dossier-on... ). Its not something that they would have done unless they had to and I assume they have competent lawyers so it does look like you can request copies of email about you.
its looks like internal discussions about someone are within scope of GDPR.
This case is odd. I haven't heard a single lawyer saying that a conversation talking about someone undoubtedly qualify as protected data, so I'm more inclined to believe that Farage was already in possession of those emails (or made aware of them) and the bank thought that trying to hide them would make things worse?
I don't think you are correct. It doesn't matter who provides the data.
> If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
I was asking for how my data was being processed. An email saying "Please perform action XYZ on this specific user" would, I think, fall under that description.
Just to be clear, getting banned from a slack got you mad enough to spend weeks (?) arguing with some random guy over email about GDPR - all because you desperately need to know what was said about you in a groupchat? And then you write an article about your experience to get sympathy on HN?
> You are entitled to a copy of the data that you provided to the data processor
This is absolute nonsense and there is no such limitation in the GDPR which, if you had even a passing familiarity with it, you would know. Maybe don't ramble about things you don't understand?
In particular, art 14 is:
> Information to be provided where personal data have not been obtained from the data subject
I agree with the question "is Wordpress.org GDPR compliant?", but I think that the scope can be widened: "Is Wordpress.org subject to illegal management?"
Eu law is not enforced by what is written, but rather what the law writers intention when they worked on the law. If a person try to expand the interpretation of a law then it will be up to them to demonstrate that the expanded interpretation is what was intended.
I could make an argument that any database with my personal information is "personal data" and thus i should have a right to get the whole database sent to me, but i doubt a judge would agree. I would unlikely to be what the law writers intended.
That seems like a terrible idea for government. “Well actually I meant”, and off went the goalpost into the atmosphere. If a law is so complex that you can’t effectively write it in a locked in medium then the concept of said law is probably flawed.
That's how American law works. The law as written has very little to do with the law as practiced. Everything comes down to how courts interpret the letter of the law as it relates to the messy reality of meatspace.
Writing the law is like writing code. You can attempt to reason through each instruction and apply all sorts of static analysis, but you can't actually be certain it will work until you try to run it in production. The courts are the debugger for legal code. Courts attempt to interpret what the letter of the law means and how it applies to the very specific scenario in front of them.
Consider a law that simply states carrying a sword in public is illegal. Without common law, this rule applies in 100% of scenarios unless explicitly stated otherwise. If a foreign dignitary comes and expects officers with ceremonial swords, they all go to jail. We interpret law because the ideal vacuum universe in which the law was written does not have unforseen circumstances. A court applies an interpretation to circumstances to come to the judgement that diplomats are allowed to have ceremonial sabers in their entourage.
Think about it some more and ask yourself how a society could function in the long term without the ability to reinterpret law to fit particular circumstances. Every law rigidly applied exactly as written forever into the future. The only option to revise a law is by passing a new one.
Spirit of the law vs. letter of the law. You can't go all-in on the letter of the law because language is imprecise and very contextual, and cannot aptly express the intent behind the law perfectly for all edge cases.
I don't think so. You might be entitled to get the specific row of a database which contained your information. But why would you be entitled to the entire DB?
A full row can have any arbitrary number of columns, and have foreign keys to rows in other tables or itself in any length of chains. Any columns could also be data structures like json with arbitrary number of keys and values. In order to have the full context of how the information relate to the identified individual, an argument can be made that you need the full database.
The other extreme interpretation is that personal data only refer to data that personal identify someone, and not any information that is related to personal data (in contrast to being related to an identified individual). In the case of an email that would be the email address without the message. In term of slack, the personal data of a user would be the username, full name, and email, since those and not messages is what relate to identified living individuals.
I just wondered about the following (unrelated) triggered by this:
Am I entitled under GDPR to get the internal writeups on my interview performance when I interviewed at a company? Does it matter whether I am in the EU but interview at a US company?
> Subjective information such as opinions, judgements or estimates can be personal data. Thus, this includes an assessment of creditworthiness of a person or an estimate of work performance by an employer.
> Does it matter whether I am in the EU but interview at a US company?
Yes, in practice. GDPR applies any time that EU/EEA residents' personal data is processes. If the company doesn't operate in the EU/EEA directly it's likely you are going to have a hard time getting this data, and more likely to not be given this data at all. It's up to you as a resident to formalize a complaint through your regional DPA (Data Protection Authority) in those cases.
I know the last company I worked for had each interviewer interview separately, then had each person write up a few paragraphs of thoughts. Then they were allowed to discuss with each other.
Why do people write ‘Claude thinks’ or ‘ChatGPT says’? It’s literally less reliable than ‘some guy down at the bar said’ or ‘my mother’s cousin’s ex-boyfriend’s cat’s previous owner’s dad thinks.’
Sure, he presents some alternative options, that's all good, but at the end of the day, HN refuses to delete personal data.
One day someone with a bone to pick with HN and large enough pockets will test it in the courts. Until then, we must exercise great caution when commenting on HN.
There doesn't need to be a self-service mechanism, you just need to be able to ask. Skimming the privacy policy indicates you should be able to email `privacy@ycombinator.com` with your request.
The GDPR only applies personal data (name, ID number, IP address, etc), not all data in general. Your comments on a forum are generally not personal data.
Personal data also covers political and religious opinions, sexual orientation and anything else that can be grounds for discrimination. GDPR certainly gives you the the right to demand deletion of personal data like that.
Under specific circumstances. It could be easily argued that deleting comments would fall under the first example of the link you posted -- unless you're a minor.
The GDPR doesn't require any means to download data though, and it is mainly for PII.
I think it's quite funny he's complaining about someone else's knowledge of GDPR but links to GDPR UK and not GDPR EU which is he is really referring to. WordPress not being a UK entity in any way, would mean it's outside of GDPR UK. And him being a UK citizen and resident would mean he is not covered under GDPR EU.
The author lives in the UK, so the UK GDPR is relevant, not the EU one.
It doesn't matter that WordPress isn't a UK entity. WordPress does do business in the UK so they need to comply with the UK GDPR as well as the EU one. If they don't want to comply with UK laws, they need to stop doing business with UK customers (or provide free services to UK citizens, but enforcing decisions against companies outside of the country's borders is rather difficult).
> It doesn't matter that WordPress isn't a UK entity. WordPress does do business in the UK so they need to comply with the UK GDPR as well as the EU one. If they don't want to comply with UK laws, they need to stop doing business with UK customers (or provide free services to UK citizens, but enforcing decisions against companies outside of the country's borders is rather difficult).
WordPress.org does not do business in the UK. It doesn't do business at all. It has no UK entity. The courts would have no recourse to enforce anything upon WordPress.org. UK Law does not just apply to everyone. UK law applies to businesses operating within the UK.
If you want to test this, go complain to the ICO and they'll tell you that they have no power.
Readit News
> This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
https://gdpr-info.eu/art-2-gdpr/
> The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
https://gdpr-info.eu/art-15-gdpr/
Talk to a lawyer if you are upset.
On other hand you likely do not have right to get all emails or chat messages even if your name is mentioned. As this is not discovery like in legal process.
This is only my non-lawyer option.
> I replied with a (not so-friendly) email pointing out that I was entitled to a copy of any messages because they contain my personal data.
Hum, no? You are entitled to a copy of the data that you provided to the data processor. Your messages, your records, even your IP address for the sessions on your devices.
A message that someone mentions you is not your data.
It's an interesting take (what is "data" anyway? does it include "the CEO thinks <person> is a dick" if that record is kept on company infrastructure?) but I don't think it'll hold up in court. If the author decides to press the ICO to take action, perhaps we may find out one day.
That said, scraped data about you definitely falls under GDPR protections even if you never provided any data yourself.
Imagine I am in a dating site and want to find out all the people that expressed interest on me. I go then and file a GDPR request, claiming that those that mentions of me is "data collected about me" and therefore I am entitled to it.
Someone talking about you, or references about your PII are not PII themselves. To try to claim otherwise is absurd.
its looks like internal discussions about someone are within scope of GDPR.
Deleted Comment
> If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
https://cy.ico.org.uk/for-organisations/uk-gdpr-guidance-and...
I was asking for how my data was being processed. An email saying "Please perform action XYZ on this specific user" would, I think, fall under that description.
This is the case where you are a website, e.g, using "Login via GitHub" and GitHub sent you the users email address.
What you are asking is for a third party to tell you of any possible instance where your email address is mentioned. This is absurd.
This is absolute nonsense and there is no such limitation in the GDPR which, if you had even a passing familiarity with it, you would know. Maybe don't ramble about things you don't understand?
In particular, art 14 is:
> Information to be provided where personal data have not been obtained from the data subject
https://gdpr-info.eu/art-14-gdpr/
Please see this very recent verdict by a California district court: https://techcrunch.com/2024/12/10/court-orders-mullenweg-and...
I agree with the question "is Wordpress.org GDPR compliant?", but I think that the scope can be widened: "Is Wordpress.org subject to illegal management?"
I could make an argument that any database with my personal information is "personal data" and thus i should have a right to get the whole database sent to me, but i doubt a judge would agree. I would unlikely to be what the law writers intended.
Writing the law is like writing code. You can attempt to reason through each instruction and apply all sorts of static analysis, but you can't actually be certain it will work until you try to run it in production. The courts are the debugger for legal code. Courts attempt to interpret what the letter of the law means and how it applies to the very specific scenario in front of them.
Consider a law that simply states carrying a sword in public is illegal. Without common law, this rule applies in 100% of scenarios unless explicitly stated otherwise. If a foreign dignitary comes and expects officers with ceremonial swords, they all go to jail. We interpret law because the ideal vacuum universe in which the law was written does not have unforseen circumstances. A court applies an interpretation to circumstances to come to the judgement that diplomats are allowed to have ceremonial sabers in their entourage.
Think about it some more and ask yourself how a society could function in the long term without the ability to reinterpret law to fit particular circumstances. Every law rigidly applied exactly as written forever into the future. The only option to revise a law is by passing a new one.
https://en.wikipedia.org/wiki/Common_law
Law is often open to interpretation. Take a look at how most laws are written.
It might say "owning a sword is illegal", but then the courts have to interpret whether the sharpened blade you are carrying meets that definition.
The other extreme interpretation is that personal data only refer to data that personal identify someone, and not any information that is related to personal data (in contrast to being related to an identified individual). In the case of an email that would be the email address without the message. In term of slack, the personal data of a user would be the username, full name, and email, since those and not messages is what relate to identified living individuals.
I just wondered about the following (unrelated) triggered by this: Am I entitled under GDPR to get the internal writeups on my interview performance when I interviewed at a company? Does it matter whether I am in the EU but interview at a US company?
https://gdpr-info.eu/issues/personal-data/
> Does it matter whether I am in the EU but interview at a US company?
Yes, in practice. GDPR applies any time that EU/EEA residents' personal data is processes. If the company doesn't operate in the EU/EEA directly it's likely you are going to have a hard time getting this data, and more likely to not be given this data at all. It's up to you as a resident to formalize a complaint through your regional DPA (Data Protection Authority) in those cases.
Can I download my data? No.
Can I delete my data*? No.
--
*Yes, GDPR requires the ability to delete data:
https://commission.europa.eu/law/law-topic/data-protection/r...
https://news.ycombinator.com/item?id=23623799
Sure, he presents some alternative options, that's all good, but at the end of the day, HN refuses to delete personal data.
One day someone with a bone to pick with HN and large enough pockets will test it in the courts. Until then, we must exercise great caution when commenting on HN.
Under specific circumstances. It could be easily argued that deleting comments would fall under the first example of the link you posted -- unless you're a minor.
The GDPR doesn't require any means to download data though, and it is mainly for PII.
It doesn't matter that WordPress isn't a UK entity. WordPress does do business in the UK so they need to comply with the UK GDPR as well as the EU one. If they don't want to comply with UK laws, they need to stop doing business with UK customers (or provide free services to UK citizens, but enforcing decisions against companies outside of the country's borders is rather difficult).
WordPress.org does not do business in the UK. It doesn't do business at all. It has no UK entity. The courts would have no recourse to enforce anything upon WordPress.org. UK Law does not just apply to everyone. UK law applies to businesses operating within the UK.
If you want to test this, go complain to the ICO and they'll tell you that they have no power.
That is why American companies that deal with people in those countries comply with both. Some American websites block traffic from both.
Wordpress.org is IIRC run by Automattic, which receives payments from the UK so there is even a way to enforce fines.
No. WordPress.org is owned and operated by a private American citizen who receives no payments.
Automattic is a separate for-profit organization which does fall under GDPR. WordPress foundation would also fall under GDPR. WordPress.org does not.
Yea, we were all pretty surprised to hear that WordPress.org is a privately owned and operated site.