> You do not understand GDPR. It is a burden even for businesses or non-profits that keep a minimal amount of data and do not trade it. As with all Eu regulation it is designed around big business. It actually helps the like of FB because they are more able to push people into agreeing to let them use their data.
It's not a burden to have to do common sense things. Is it a burden not to leave medical or private or financial data publicly readable stored on a share everyone can access? Yes, it is, but when you have such data you also have a responsibility to protect it. Since private entities were incapable of that, GDPR tells them how they should do that. Reminder that Americans that do not have access to protections such as GDPR, have their private information leaked frequently, and abuse is rampant (any random company you interact with selling whatever they can - be it telecoms, services, up to Grindr selling HIV status).
> I disagree. It stops new connectors being introduced (because you will still have to provide USB-C). There is little gain: essentially slightly lower sales of charger cables.
There's an explicit mechanism for the connector to be refreshed periodically, so no, it doesn't.
> It's not a burden to have to do common sense things
It depends on your scale. Suppose I ran a small website that provided news and articles and forums about some small hobby that I am into. Maybe 100 users worldwide. I include articles about European things related to that hobby, written specifically to better serve the European visitors to my site.
The only personal information I store is IP addresses in my Apache logs.
Such a site could be run for less than $100/year in hosting costs.
If my processing of personal information counts as "occasional" then as far as I can tell GDPR imposes no burden on me, other than having to deal with it when someone requests that I remove their personal information.
If my processing does not count as "occasional" then under Article 27 I would need to appoint a representative in the Union that people and regulators could contact when they have GDPR related matters involving me.
There are companies that provide "in-Union GDPR representative as a service" but the least expensive I've seen is around €100. If I had to use such a service I'd be at least doubling my costs which would probably push the costs past what I'd be willing to do for a hobby site that is not monetized.
Would my processing be "occasional"? The recital for Article 27 doesn't provide any guidance on what "occasional" means.
One the one hand one might argue that a low traffic site is almost by definition "occasional" in everything it does. On the other hand one might argue that my site is processing IP addresses on every single request it processes and that something that happens 100% of the time surely can't be "occasional".
At some point this issue will arise and the GDPR regulators in some member state will issue a ruling that clarifies it, and if we are lucky no other member state's regulators will issue a ruling that goes the other way.
Even if it is eventually decided that processing such as mine is definitely "occasional" the fact that I have to think about it in the first place is somewhat burdensome.
Surely the basis for the processing matters? If you're storing IP addresses in your access logs, you're presumably doing this for security reasons? And presumably you periodically purge old data? If so, that's a legitimate interest, no consent required.
It's not a consent problem. Even if you have consent, or some other legal justification for what you are doing with user data, users need to contact you if they want to exercise some of their GDPR rights such as the right to have their data deleted.
Article 27 is about requiring that you at least support one specific method of contact: a representative in the Union. It applies if your site is covered by GDPR and is not in the Union.
There's an exception for sites whose processing of personal data is occasional, does not include certain particularly sensitive kinds of data (e.g., genetic data, health data, criminal conviction records), and is unlikely to pose a risk to the rights and freedoms of natural persons.
There's some commentary here [1] about Article 27. It says that
> The aim of Article 27 GDPR is to ensure that the level of protection afforded to EU-based data subjects is not reduced where non-EU based controllers or processors process their data. It aims to both provide a contact point for data subjects and ensure that there is legal accountability for processing activities by mandating the appointment of a representative.
I see that page also has something to say about what "occasional" mean:
> The term "occasional" has been interpreted by the WP29 to mean processing that is not carried out regularly and that falls outside of the scope of the regular activities of the controller or processor. Similarly, Millard and Kamarinou have interpreted the term "occasional" to mean "non-systematic" processing, or in other words, processing that happens on an ad hoc and infrequent basis and not in a regular way
It sounds like automatically logging all visits to your web server in the Apache logs would not be "occasional".
It's not a burden to have to do common sense things. Is it a burden not to leave medical or private or financial data publicly readable stored on a share everyone can access? Yes, it is, but when you have such data you also have a responsibility to protect it. Since private entities were incapable of that, GDPR tells them how they should do that. Reminder that Americans that do not have access to protections such as GDPR, have their private information leaked frequently, and abuse is rampant (any random company you interact with selling whatever they can - be it telecoms, services, up to Grindr selling HIV status).
> I disagree. It stops new connectors being introduced (because you will still have to provide USB-C). There is little gain: essentially slightly lower sales of charger cables.
There's an explicit mechanism for the connector to be refreshed periodically, so no, it doesn't.