GDPR (Hornby)

[The Lurker]

Is it just me or have other people received a GDPR e-mail from Hornby which invites them to "click 'Yes' below to keep receiving Hornby newsletters..." only to find there is no Yes to click?

 

I have contacted Hornby about this.

[bigherb]

Yes, but it worked fine for me.

[melmerby]

Is it just me or have other people received a GDPR e-mail from Hornby which invites them to "click 'Yes' below to keep receiving Hornby newsletters..." only to find there is no Yes to click?

 

I have contacted Hornby about this.

I got a zonking great box on the page marked "Yes Keep Me Updated"

Like so:

 

 

Keith

[caradoc]

Is it just me or have other people received a GDPR e-mail from Hornby which invites them to "click 'Yes' below to keep receiving Hornby newsletters..." only to find there is no Yes to click?

 

I have contacted Hornby about this.

 

I had identical e-mails from Airfix, Corgi and Hornby; Clicked on Yes, whereupon the first two responded with 'This site is unavailable', and Hornby with some computerese gobbledook about the system being used, which was meaningless to me. I gave up.

[Hroth]

I looked at it, but didn't follow up.

 

I've more or less ignored all these GDPR emails.  If they take me off their list, thats fine.

[melmerby]

According to TV news most of these are unnecessary as if you opened an account yourself and as long as the company's system complies with the new rules, nothing needs to be done.

You are deemed to have already given permission.

 

The primary aim is to stop unsolicited contacts from those you have not explicitly given permission to and also to stop companies passing your details around to outside firms.

 

I have had several that have just notified me of the change in the law and to go to my account if I want to change anything.

 

Keith

[G-BOAF]

My understanding from lawyer friends is that, as stated above, at most an email about updated privacy is required with a 'you don't have to do anything'. By asking people to affirm that they want to continue, companies and organisations are going to loose much of their marketing database (on the basis that people normally ignore such emails, and in the current flood they will be even more tempted to press 'delete'). Sadly many charities have contacted me with the latter approach, and their will suffer as a result.

[Market65]

I did receive one, but there was no link to click on, so I rang Hornby. They explained what to do, and on going to the top of the page, there was a box, Open In Browser. So I did that, and it worked. The box to click on was there. So I clicked on it, and a new tab opened up saying I had been successful. So, hopefully, that is it. It’s quite a carry on though, and I can understand many losing their account with Hornby.

 

Regards,

 

Rob.

[Wickham Green]

My understanding from lawyer friends is that, as stated above, at most an email about updated privacy is required with a 'you don't have to do anything'. By asking people to affirm that they want to continue, companies and organisations are going to loose much of their marketing database (on the basis that people normally ignore such emails, and in the current flood they will be even more tempted to press 'delete'). Sadly many charities have contacted me with the latter approach, and their will suffer as a result.

Not just the charities, I can see a LOT of our smaller societies* deleting half their membership unnecessarily 'cos they don't understand the complexities of legislation which was blatantly NOT written with them in mind ............ simply put, if you are the Hon. Membership Secretary of one of the Line Societies - or whatever - you have a 'legitimate interest' in retaining your members' data in order for your organisation to function : Yes, tell your members what you use that data for and publish a Policy Document - but don't take rash actions you're going to regret !

 

* whether railway or other

[ejstubbs]

According to TV news most of these are unnecessary as if you opened an account yourself and as long as the company's system complies with the new rules, nothing needs to be done.

You are deemed to have already given permission.

 

Just for clarity: you can't be "deemed" to have given permission.  GDPR Recital 32 states that:

 

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

 

Article 7 section (1) of the regulation states that:

 

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

 

What this means is that if the data controller (which would be Hornby, in the case of the OP) has previously obtained consent but cannot demonstrate it ie provide evidence of your consent, then they have to ask for it again.  Simply having your name on a list of "people who have consented" isn't sufficient: they need to be able to evidence receipt of your consent eg by keeping a copy of the e-mail from you, or a record from the web server of the checkbox having been ticked on a web page.  (My company is using an online survey tool to gather and record consents.)

 

Equally, if they have been operating up to now on the basis of assumed consent - sometimes called "soft opt-in", which includes things like pre-ticked consent boxes, or statements along the lines of "by continuing to use this site you are are agreeing to these terms" - then they now have to obtain explicit consent per Recital 32.

 

Note also that consent has to be given freely: if the terms are "consent or you won't get xxx benefit" then that's non-compliant.  Any consent thus obtained is not valid and cannot be used as the "lawful basis for processing".

 

There are other lawful bases for processing which do not require consent, such as to satisfy the performance of a contract, or what is called "legitimate interest" (to use which the data controller must be able to demonstrate that they have carried out an assessment of the balance between their legitimate interest vs possible impacts on the data subjects' rights and freedoms - a bit like a risk assessment in the H&S sphere).  Too many people seem to think that consent is a magic bullet which means they don't have to think about difficult things like legitimate interest assessments (which are actually pretty straightforward*), while overlooking the downsides to consent-based processing (not least the administrative & operational overhead involved in obtaining and recording it).

 

* Again, the similarities to H&S regulations are not accidental, and most mature organisations should already be doing this kind of stuff as a matter of good business practice.  Which is the real meaning of the often wheeled-out old saying "Rules are for the guidance of wise men and the obedience of fools" - ie if you know what you're doing then none of this should be a surprise, but if you don't then stick to the rules and you should be OK.  "Fool" in this case having its OED meaning: "A person who acts unwisely or imprudently" - which not the same as an idiot.  (I say it's an old saying but it's unclear exactly how old.  Some attribute it to Douglas Bader, although the author of 'Reach for the Sky' [the book, not the film screenplay] cited WWI RFC fighter ace Harry Day as the source.  However, it's also attributed to Solon of Athens, who died in 558 or 559 BCE.)

 

The primary aim is to stop unsolicited contacts from those you have not explicitly given permission to and also to stop companies passing your details around to outside firms.

 

They can pass your details to third parties provided that they have told you that they are going to do that in their privacy notice (which is one reason why it's worth reading the things).

 

Any third party that obtains your personal data from another data controller rather than directly from you has to send you their own privacy notice, and tell you where they got your data from (GDPR Article 14).  It should no longer be the case that you get e-mails from random companies with no idea how they got your e-mail address.

 

One of the major aims of GDPR is to give data subjects (ie us) more rights to control what companies like Google, Facebook & Twitter do with the information that they gather from us without our clear knowledge or active participation (eg, off the top of my head: gathering personal data about you and your contacts, to be used for targeted political campaigns, under the guise of an online "personality quiz").  Tracking, monitoring and profiling of online activity was barely thought of when the previous directive was written in the 1990s.  It's everywhere now and, up until today, there was no effective regulation of such activities.  Those companies make billions out of activities which were previously barely regulated, if at all.  That's the main reason why the sanctions regime under GDPR is so much more severe: up to €20 million or 4% of total worldwide turnover in the preceding financial year, whichever is the higher (GDPR Article 83).  By my calculation that would be $1.6 billion for Facebook, based on their 2017 turnover (although, given that their revenues increased by $13 billion over 2016, they would likely still regard that as not much more than a bump in the road; put it this way, if they'd had to pay a fine like that in 2017 their profits would still have grown by more than 40% cf 2016).

Edited May 25, 2018 by ejstubbs

[chris p bacon]

Not just the charities, I can see a LOT of our smaller societies* deleting half their membership unnecessarily 'cos they don't understand the complexities of legislation which was blatantly NOT written with them in mind ............ simply put, if you are the Hon. Membership Secretary of one of the Line Societies - or whatever - you have a 'legitimate interest' in retaining your members' data in order for your organisation to function : Yes, tell your members what you use that data for and publish a Policy Document - but don't take rash actions you're going to regret !

 

* whether railway or other

 

 

Already there and complying.

 

It's actually not a bad bit of legislation, I've noticed over the last few years a reluctance for people to divulge more than is necessary and this just brings it into line with current thinking about not giving too much information.  What the new act does do is enforce the right to be forgotten, if you should decide not to renew then all your details have to be deleted (allowing a period of time for gift aid etc)

[ejstubbs]

What the new act does do is enforce the right to be forgotten, if you should decide not to renew then all your details have to be deleted (allowing a period of time for gift aid etc)

 

That's two different things.  You have the right to request that a data controller erases your personal data (the "right to be forgotten") at any time (though there are conditions under which the request can be declined eg if the data controller is legally obliged to keep such records).  That is new under GDPR.  Unless claiming an exemption, the data controller has to comply with the request within one month.

 

Storage limitation was a core principle under the DPA as well.  That's the one that says you can't keep personal data for longer than is necessary for the purposes for which the personal data are processed (which, again, may depend on other conditions such as the legal requirement to retain financial records for seven years).  The retention period of the personal data (or the criteria by which the retention period is calculated eg "twelve months after we last hear from you") must be documented in the privacy notice issued by the data controller when they first obtain your personal data.

[caradoc]

I got the same emails again today from Airfix, Corgi and Hornby, and this time the update process was successful. No mention of what the issue was last night.

[melmerby]

Still getting e-mails today re GDPR

 

They don't half leave it late.

 

Keith

[Hroth]

I'm now waiting to see if there's any fall off..... 

[RAF96]

One of the benefits of this avalanche of GDPR emails is that I find out what I have enlisted myself to in the past either by design or default.

 

From such emails I have binned myself from very many of them.

 

As the webmaster of my old boys association site I have had to gain a decent understanding of the regs in order to decide how best to comply with our site. Fairly simple as we are an open site with no login, no cookies, no on-line data gathering, etc. As stated above by someone we only retain data (simple contact details) that folk have given us written permission to use, usually by email, held in record by our data controller as he is now promoted to.

 

All in all a bit of a pest, but presumed necessary.

 

Rob

[adb968008]

Interesting how HR departments handle consent for former employees long since left.

[ejstubbs]

Our HR department isn't relying on consent for employees, either current or ex.  For current employees the lawful basis of processing an employee's personal data is clearly contract, since one is in place.  For ex-employees it's a combination of legal requirement (eg financial records having to be retained for seven years) and legitimate interest (in particular, retaining records of employment until after the period within which the ex-employee can raise a case with an employment tribunal - I can't remember what that period is, but HR know!)  After those periods have expired then the GDPR principle of storage limitation* applies, and we have to get rid.

 

I can't really see why any other company's HR department should need to be much different.

 

* Which was also part of the 1998 DPA, so it's not new - although far too many companies have been extremely lax about complying with it up to now.  The more severe sanctions regime under GDPR is making everyone sit up and take notice, if not actual action...

[John M Upton]

GDPR is like the email version of the Telephone Preference Service, useless and not worth the paper it is printed on.

 

If anyone thinks this new legislation will change anything, think again as the spam senders and con artists won't take a bit of notice and carry on spamming regardless.

[autocoach]

I got the e-mail and was able to click yes even though I live in the US. Here's hoping the rules of EU GDPR will become the  global standard. 

[jjb1970]

Apparently complaints have already been filed against Google, Facebook and WhatsApp based on them requiring opt in to targeted advertising to access services.

[57xx]

GDPR is like the email version of the Telephone Preference Service, useless and not worth the paper it is printed on.

 

If anyone thinks this new legislation will change anything, think again as the spam senders and con artists won't take a bit of notice and carry on spamming regardless.

 

^^ This, absolutely. I'm still getting spam from sources I have not signed up to. I have always been very careful to look out double negative opt out tickboxes and other such tricks, yet someone has sold my info (luckily on a throwaway account, not my main email). 

[ejstubbs]

^^ This, absolutely. I'm still getting spam from sources I have not signed up to. I have always been very careful to look out double negative opt out tickboxes and other such tricks, yet someone has sold my info (luckily on a throwaway account, not my main email). 

 

If this upsets you, lodge a complaint with the ICO: https://ico.org.uk/make-a-complaint/. I would first check whether the unwanted e-mails have an unsubscribe link: if not then that's pretty much illegal in itself (GDPR Article 7 section 3, amongst other things).

 

The ICO won't take action unless someone points out a suspected breach of the law.  (Would you expect the police to know that your house has been broken in to without you telling them?)  The potential financial penalties available to the ICO under GDPR are quite sufficient to put the Del Boy chancers out of business.

 

Or we could just not bother making any laws at all, because they clearly never stop anyone from doing anything wrong...

Edited May 31, 2018 by ejstubbs

[57xx]

If this upsets you, lodge a complaint with the ICO: https://ico.org.uk/make-a-complaint/. I would first check whether the unwanted e-mails have an unsubscribe link: if not then that's pretty much illegal in itself (GDPR Article 7 section 3, amongst other things).

 

The ICO won't take action unless someone points out a suspected breach of the law.  (Would you expect the police to know that your house has been broken in to without you telling them?)  The potential financial penalties available to the ICO under GDPR are quite sufficient to put the Del Boy chancers out of business.

 

Or we could just not bother making any laws at all, because they clearly never stop anyone from doing anything wrong...

 

It doesn't upset me, it was an observation. I know what unsubscribe links are for but as these hit my Junk folder anyhow, it really doesn't matter to me.

 

The ICO won't give a monkeys about these as, like most spam, they originate from outside the UK.

[Junctionmad]

GDPR is like the email version of the Telephone Preference Service, useless and not worth the paper it is printed on.

 

If anyone thinks this new legislation will change anything, think again as the spam senders and con artists won't take a bit of notice and carry on spamming regardless.

 

I disagree, identifiable legal entities will be very careful , most wanted email spam tends to have originated from quite legitimate companies passing on or selling on your data , e.g. Wifi Hotspot  signups for example. GDPR will curb this .  Will it fix everything , no , But  its a start