EngineerRunner wrote:

(#37)

Zydrolic wrote:

Zydrolic wrote:

(#3)
Under GDPR, the company should use and take all reasonable measures in order to verify the identity of a data subject who requests access, in particular context of services and online identifiers.

Adding onto this because nobody is realizing
pretty sure if you accidentally let through someone in doing GDPR not in the EEA there's a fine, and an even bigger one if intentional.

i've never heard that before. i don't think that's right, as i'm pretty sure the EU doesn't have jurisdiction over what the company lets people who aren't in the EEA do. also, the UK and California have a similar law (with the UK's one even being called the GDPR), so it wouldn't make much sense for the EU to punish them for letting anybody submit a GDPR request.

1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). 2When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(…)
(4) Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(…)

(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c​) the obligations of the monitoring body pursuant to Article 41(4).

(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c​) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

jvvg wrote:

(#8)
I know from personal experience that the Scratch Team would prefer not to make their GDPR process more prominent than they absolutely have to, so I don't think they'd be too keen on this suggestion.

zydrolic wrote:

-snip-

EngineerRunner wrote:

(#42)

zydrolic wrote:

-snip-

nothing, in that entire thing, refers to a Right to Be Forgotten request, commonly called a GDPR request. in fact, nothing in there even mentions article 17 “Right to erasure ('right to be forgotten')”.

(b) the obligations of the certification body pursuant to Articles 42 and 43;

yadayadayadagoodbye wrote:

(#44)
Why not just not call it GDPR and then keep the old GDPR to comply with EU law?

jvvg wrote:

(#8)
I know from personal experience that the Scratch Team would prefer not to make their GDPR process more prominent than they absolutely have to, so I don't think they'd be too keen on this suggestion.

Zydrolic wrote:

EngineerRunner wrote:

(#42)

zydrolic wrote:

-snip-

nothing, in that entire thing, refers to a Right to Be Forgotten request, commonly called a GDPR request. in fact, nothing in there even mentions article 17 “Right to erasure ('right to be forgotten')”.

It's the general conditions for imposing administrative fines of GDPR violations, and still yet, verification stands by 4b of Art. 83

(b) the obligations of the certification body pursuant to Articles 42 and 43;

EDIT: Also I should've mentioned article 42 & 43 better since they are respectively literally titled “Certification” “Certification bodies”.
EDIT2: corrected myself

EngineerRunner wrote:

(#46)
as far as I can tell, that is just confirming the person isn't a bad actor pretending to be that person, not EU citizenship. (this is important, as there is also the right to see any data kept)

gdfsgdfsgdfg wrote:

Also I almost forgot the last solution:
make this option region locked

PPPDUD wrote:

Why? It's easy to bypass using a service like ProxySite and it's pretty evil to region lock stuff that gives users extra privacy.

gdfsgdfsgdfg wrote:

PPPDUD wrote:

Why? It's easy to bypass using a service like ProxySite and it's pretty evil to region lock stuff that gives users extra privacy.

bypass? I mean not everyone has a vpn
so there are going to be less non-eu users going to
gdpr their accounts

PPPDUD wrote:

(#52)
Why do you want to restrict users from having basic privacy?

PPPDUD wrote:

Why do you want to restrict users from having basic privacy?

Zydrolic wrote:

EngineerRunner wrote:

(#46)
as far as I can tell, that is just confirming the person isn't a bad actor pretending to be that person, not EU citizenship. (this is important, as there is also the right to see any data kept)

GDPR applies only to the processing of EU users' data still, it would be illogical if just because someone is from the EU that has their data processed anyone else could use GDPR.

Zydrolic wrote:

PPPDUD wrote:

(#52)
Why do you want to restrict users from having basic privacy?

GDPR is an EU Law that affects other places.
If the business/whatever collects data on EU Citizens/Residents, then they should comply.
It'd be illogical if anyone could use it because of other EU Citizen/Residents being on the site; And again #41
That's why.

cs3868895 wrote:

(#57)
We probably need an explanation first before kids who are under the age of 10 start compiling not knowing what it does-

Should scratch team be the ones doing it? (not by contact us but by force and if any kid was mistaken they'll have to contact the scratch team or turn it off-)

EngineerRunner wrote:

(#56)

Zydrolic wrote:

EngineerRunner wrote:

(#46)
as far as I can tell, that is just confirming the person isn't a bad actor pretending to be that person, not EU citizenship. (this is important, as there is also the right to see any data kept)

GDPR applies only to the processing of EU users' data still, it would be illogical if just because someone is from the EU that has their data processed anyone else could use GDPR.

yes, but my point is that scratch could let anybody do it.

Right to be Informed wrote:

There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data.

PPPDUD wrote:

(#4)
Technically it is indeed an EU law, but it's extremely hard to ensure that someone is actually an EU citizen, and if the Scratch Foundation fails to GDPR a citizen, they may face severe penalties or be banned legally, so it's best safe than sorry.

Zydrolic wrote:

EngineerRunner wrote:

(#56)

Zydrolic wrote:

EngineerRunner wrote:

(#46)
as far as I can tell, that is just confirming the person isn't a bad actor pretending to be that person, not EU citizenship. (this is important, as there is also the right to see any data kept)

GDPR applies only to the processing of EU users' data still, it would be illogical if just because someone is from the EU that has their data processed anyone else could use GDPR.

yes, but my point is that scratch could let anybody do it.

So you're saying I just haven't realized you are using past tense…
Either way:

Right to be Informed wrote:

There is a need for transparency regarding the gathering and use of data in order to allow EU citizens to exercise their right to the protection of personal data.

EngineerRunner wrote:

(#60)
-snip-