"its core activities involve processing of sensitive data on a large scale ---> OR <--- involve large scale, regular and systematic monitoring of individuals"
Any analytics provider is fundamentally doing "large scale, regular and systematic monitoring of individuals".
I was hoping to find something like this mentioned in here. I’ve worked on a tracking tool that I don’t think does tracking of “individuals”. Instead I’m collecting stats about the site and impressions on its pages. It’s actually very, very simple. I am not tracking visitors and I don’t log IP addresses. It doesn’t set any cookies or anything else in the browser.
I built this to track my own sites but I am curious if anyone else cares. I created a landing page to see if there’s any interest.
The product is working on a few sites of my own and is hosted on a raspberry pi in my home office. I’d need to do some work to make it available for others, but I don’t want to invest more into it unless there’s any interest.
Yes, you are right that there is another part of the definition about large scale, regular and "systematic monitoring" of individuals. Apologies for not including that in the answer above.
Quoting from WP 243 Annex provided by the EU:
"The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment."
2. We agree it is not GDPR compliant to transmit IP address data to the US. This is why we salt and hash all PII data so no IP address data is sent to the US. Please see our data policy.
Can you share more detail on this? On this page[1], I see this:
hash(pepper(salt(ip address + user agent data))) = anonymized hashed data
Both the ipv4 space and typical user agent possibilities are pretty small, so it feels like you could easily de-anonymize it when you want to. That is, assuming the "salt" and "pepper" are stored somewhere. I assume you do store them, otherwise it's not helpful to identify repeat visits.
IANAL but as I understand it there is, currently, no way to legally use a service for personal data handling that falls under the US CLOUD act.
In theory Amazon could license their brand and software to an independent (!) European company to offer a EU-AWS.
Basically if an American judge/agency can order Amazon to hand over European private data and they have the ability to comply without involving a European court the service is not GDPR compliment.
Now in practice this isn't how things are done but to the best of my knowledge the law hasn't changed (yet) and national dpas are starting to tighten the screws (slowly).
If I recall correctly there are EU-US talks to create Privacy Shield #3.
I suspect the UK is planning a number of changes that may change this, so even though I'm British, for the avoidance of doubt I prefer companies actually hosted in the EU and that will agree to conduct business in Europe (and thus under EU courts, rather than GB ones).
> 3. On the Data Protection Officer, I think one is only needed if sensitive data on a large scale is processed.
1. We are incorporated in the UK. I could be wrong but I think the European Commission did indicate that the UK was an Adequate Country?
https://commission.europa.eu/law/law-topic/data-protection/i...
2. For the details that our privacy policy lacks, I think they can be found in our Data Policy. Any further issues, please let us know.
https://beamanalytics.io/data
3. On the Data Protection Officer, I think one is only needed if sensitive data on a large scale is processed.
https://commission.europa.eu/law/law-topic/data-protection/r...
The definition of sensitive data can be found on this EU site and Beam does not process any of this type of data.
https://commission.europa.eu/law/law-topic/data-protection/r...