Well, I don't think the article argues for employees sitting on needles during their working hours, but rather a push back on the very real and opposite trend where excessively fancy and comfortable offices makes employees detached from the actual finances of the business.
As many others are sharing feedback, I thought I’d might add some myself: I would like to have better support for changing roles internally within the same company (ie promotions etc) and in this regard having the month available at least as an option would be great. LinkedIn uses the company as a higher level grouping, then the years/months spent in a certain position.
For me to use this regularly I would have some reason to check in; and I guess either building up “company profiles” where I could see people who work in a certain company or indeed an interesting way to find companies and open positions would be great.
I love the “features” section and the focus on adding people you’ve worked closely with.
As you are - it seems - involved in Quip too, I’m cheeky enough to add some feedback in that product: fix notifications (!) - managing and keeping track of them is close to impossible, make it easier to actually discuss higher level on a particular document (not per line, and the comments in the sidebar disappears quickly) and lastly please add support for collapsing certain sections of a document :-)
Thanks for the great feedback! I definitely want to explore a company profiles product - will be interesting trying to make that feel rich enough with only a few companies on board at the beginning.
As for Quip I left in July but I'll be sure to pass the feedback on!
Without any precedent on concrete examples of what is legitimate and what is not, this clause in the GDPR is its biggest weakness.
If a company sells something online they only really need your address & name for delivery + credit card details. Then you could argue it is legitimate to use an email to create an account, fair enough. But without precedent it's so easy to just say 'in order to increase revenue (legitimate intrest) we're going to use all emails to send a newsletter, boosting sales'. And then you could use the 'Right to object' in the GDPR as a fallback for your actions.
I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.
The legitimate interest has been around for a while. It was also a legal basis to process personal data under the 1995 Data Protection Directive which the GDPR replaced. If you are interested in learning more about the notion of legitimate interest and balancing it against the interests of individuals, there is a 2014 opinion from the body of EU data protection regulators that explains the concept with a number of examples. [1]
> If a company sells something online they only really need your address & name for delivery + credit card details.
That would likely be "necessary for the performance of a contract" which is also a legal basis to process personal data. [2]
> I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.
That could be a violation of the ePrivacy Directive which provides that email marketing requires consent. [3]
The PECR regulations specifically state that consent is the only basis for electronic marketing. The ICO guidelines also state that legitimate interest is fine for marketing, but not electronic marketing.
Anyone who dropped explicit consent for emails, text messages or phone calls is a fool.
Can you point to explicit guidance for this (legit. interest as insufficient for electronic mktg)? I'd love to see a reference as we're having this discussion internally.
> You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.
You only need consent when legit interests don't apply, so this is basically saying it isn't sufficient.
Also:
(47) … The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Sure. I admit, I simplified things because hackernews can be a rather hostile environment on this topic. It's not that you can't use consent, it's (as you say) that legitimate interest is insufficient as most types of electronic marketing require consent and those where it is possible is made much harder to justify as a long-term strategy.
Also, the ICO has an FAQ on exactly this at https://ico.org.uk/for-organisations/guide-to-the-general-da... . It is the question "Can we use legitimate interests for our marketing activities?". The whole thing is useful, but the bit below the yellow call-out is specifically about electronic marketing, and says:
"If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing. It is the GDPR standard of consent that applies, because of the effect of Article 94 of the GDPR." There's also a helpful table of possibilities below.
There's still the so-called 'soft opt-in', which is for cases where you're emailing someone that you've recently sold something to (or given a quote to) about a similar product or service and that you've given the explicit choice to refuse communications both when you collected the data and every time you've subsequently used it.
It's certainly possible to use legitimate interest for some forms of electronic marketing, but only in very specific circumstances. To give you an idea of it in practice, one of my clients has a marketplace style site. If you try and book a service but the booking falls through, for example because the service provider is unavailable, they'll email you within a couple of days if you don't look for someone new, pushing some suggestions. Then they'll stop emailing. That's legitimate interest through soft opt-in. They also send emails periodically about new service providers in your area, that is not covered by the soft opt-in so requires consent. Same for their general service newsletters.
There is also a PDF guide at https://ico.org.uk/media/1555/direct-marketing-guidance.pdf which has some good info. The header for the electronic marketing section is "General rule: only with consent", which I think is good advice. As others have said, there are other obligations under GDPR, so even if you can stretch the soft opt-in beyond what was intended, you're likely to run up against hurdles when it comes to the balancing test, or your data minimisation obligations. The soft opt-in is specifically for cases where a member of the public would expect to get communications because of the recent sale or enquiry, as time passes that expectation goes away and it starts to become very hard to justify in a GDPR context.
After sitting in on more legal meetings than I care to recall, this isn't as weak as it sounds.
The big arguments you can make 'Well I need to collect lots of user data for ad targeting because it is a legitimate interest that I make money to support the costs of the site' have already been clarified (you can't without explicit consent).
The data authority in each EU country has some freedom to rule on this as necessary but they feedback from the EU is that they will err on the side of telling you to justify in string terms your need for data.
That is exactly the legal advice we received (UK online estate agent). My guess is that so many companies are doing this, it will end up in the UK Supreme Court (post-Brexit). Even if they rule against the companies, there will most likely be a moratorium on those currently failing to comply rather than 1000s of companies being fined.
That scale slides around every day. And 'being surprised' and 'being happy' are very different things also.
I'd prefer to have hard limits. No collecting any info from my computer about me that aren't explicit in the interaction itself (asking for email is ok; scraping installed apps while doing that to gauge my interests is not)
“Reasonable person” tests are pretty common and well-understood in general. One of the reasons that the GDPR in particular avoids being overly prescriptive about how to meet its requirements is to avoid situations where it becomes inapplicable or obsolete due to changes in technology or habits.
It's a valid concern, but I don't think the line is as muddy as it seems at first glance: would I expect a Pyongyang hotel room to be bugged? No. But I also would not assume that it's not. With this construction you get two kinds of being surprised, with one taking all the variability derived from suspicions and the like while the other should remain quite stable. Just like most people were simultaneously surprised and not surprised at all by the Snowden revelations.
Obviously one would have to explicitly exclude from the "reasonable" test the kind of surprise that was not triggered by Snowden, because otherwise all our greatest fears would become legal by definition.
That's part of the "balancing test", which is one of the three tests mentioned in the article. It's definitely not sufficient to show your data processing fits the legitimate interest basis.
technically, they do not need your creditcard details. That's transient information that is only relevant at the time of purchase, as it needs to be forwarded to a financial institution to process the payment. Immediately after forwarding, the credit card information becomes entirely irrelevant (the financial institution's clearance or rejection is the ultimate goal here, to enable a transfer of funds).
And technically (at least in terms of "if it comes to litigation") your name is equally irrelevant: there is no reason to store it, there only needs to be an agreement on which label markings the buyer specifies are to be used. While the name is common, any sequence of letters or even emoji would work just fine, as long as the recipient can recognize the shipping label as being "theirs" rather than "we don't know who this package is for".
The only truly required information is the address, without which delivery cannot be made. That information will have to be stored for a longer period of time (as delivery is almost never an in-house affair), at which point it is subject to GDPR.
(But of course, in the real world, people typically consent to their information being stored in a profile locked behind some kind of login. Sometimes, though, once a case goes to trial, the real world becomes less important than the unrealistic ideal one based on requirements imposed by law)
Processing data, even ephemerally, is subject to GDPR. GDPR is not primarily about storage. The fact of the matter, though, is that most ephemerally-processed data is necessary to perform a contract, and thus legal under GDPR.
I suppose the law probably is very easy to game because I remember receiving a letter via regular postal mail from one of the top utilities company in Spain that literally said "to comply with GDPR we will contact you for marketing purposes in _OUR LEGITIMATE INTEREST_. If you do not agree, contact us at this website."
Their turnover is 50B EUR so my understanding is that they earmarked some budget to check with a lawyer to ensure GDPR compliance.
Moral: ensure that your legitimate interest is to sell more and then you are fine.
That's not gaming it, it's a feature. GDPR isn't designed to stop companies contacting you, it's designed to ensure companies have to think through what they're doing and have process for handling objections and problems. You have to do a "balancing check" to document your reasoning for why your legitimate interest is sufficient for what you're proposing to do.
> I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.
Can you name names? Not saying I don't believe, it's just that this seems like a pretty nonsensical approach. If companies though that some pre-GDPR law required them to get consent than isn't that law still in force post-GDPR?
The 'loophole' here would be the definition of 'legitimate intrests', where businesses can defend not giving users a choice in many of these matters due to the activity being critical for the service to work or the business to survive.
I.e. Facebook _could_ argue that users would have to have their data collected and analysed, as this would enable them to sell ads which in turn is their core interest.
Another example could be automatic enrollment into newsletters or data collection/analyzation with the option to opt-out by going to settings. You don't _have_ to give users the explicit consent checkbox during signup if you can defend the activity by it being in your legitimate interests.
I think those are just the members of the new IAB consent framework. This is how programmatic ads work, you "partner" with a bunch of ad networks and serve an ad from whichever is paying the most at that moment.
Yes and I think because of that 'legitimate interest' clause companies like Facebook will be allowed to work as ususal.
I am not big Facebook fun, but I understand that they business model relays on selling targeted ads, so they have 'legitimate interest' to track their users, because otherwise they would have to go out of business - I don't think it should be possible to force someone to radically change business model because of GDPR.
The interesting part is that GDPR is something that will be enforced an the countries level, so each country might have different interpretation of that clause and I see that there will be competition among countries who will offer 'better' interpretation from business perspective.
Actually 'my business model depends on it' isn't a legitimate interest. That clause only applies when the service itself relies on it (a real-time maps service requiring location data, for example).
Kolonial.no | Software Engineer; Dev Ops; Data Scientist; iOS developer | Oslo, Norway | ONSITE http://jobb.kolonial.no/
Kolonial.no are one of the fastest growing startups in Norway recently valued at ~$180 million after just 3 years of operations. We're enabling users to buy their groceries online and have already thousands of daily customers.
We're unique in that we've built a complete warehouse, logistics, and procurement platform with millions of daily transactions and lots of interesting challenges as automation becomes a more important. This has allowed us to scale and adapt quickly to market and business demands.
Our technology stack is primarily Python, Django, PostgreSQL, HAProxy, Salt, Elastic Search, Celery, SCSS and Javascript + React.js where suitable. You can read more about our stack here: https://kolonial.no/om/teknologi/.
Non-exhaustive list of benefits: a competitive salary; autonomy; warm lunch made by our office chef; new offices in central Oslo; and whatever equipment you would like to develop on. Norwegian is not a requirement, but it is preferred if at least you'd like to learn.
Can't get it to work on Firefox due to it trying to load jQuery from code.jquery.com where the CORS-policy disallows it. Specifically:
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://code.jquery.com/jquery-1.12.4.min.js. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
Norway recently decided [0] it would manually count the votes in the upcoming election (11th of Sep) after it was revealed that the machines responsible for automatic counting were connected to the Internet and full of potential security exploits [1].
Kolonial.no | Software Engineer; Dev Ops; Data Scientist; iOS developer | Oslo, Norway | ONSITE http://jobb.kolonial.no/
Kolonial.no are one of the fastest growing startups in Norway recently valued at ~$180 million after just 3 years of operations. We're enabling users to buy their groceries online and have already thousands of daily customers.
We're unique in that we've built a complete warehouse, logistics, and procurement platform with millions of daily transactions and lots of interesting challenges as automation becomes a more important. This has allowed us to scale and adapt quickly to market and business demands.
Our technology stack is primarily Python, Django, PostgreSQL, HAProxy, Salt, Elastic Search, Celery, SCSS and Javascript + React.js where suitable. You can read more about our stack here: https://kolonial.no/om/teknologi/.
Non-exhaustive list of benefits: a competitive salary; autonomy; warm lunch made by our office chef; new offices in central Oslo; and whatever equipment you would like to develop on. Norwegian is not a requirement, but it is preferred if at least you'd like to learn.
Hi, do you have an email to contact someone at? All of the job postings and information on the website are in Norwegian and I couldn't find a job email to contact.
Kolonial.no | Software Engineer; Dev Ops; Data Scientist; iOS developer | Oslo, Norway | ONSITE http://jobb.kolonial.no/
Kolonial.no are one of the fastest growing startups in Norway recently valued at ~$180 million after just 3 years of operations. We're enabling users to buy their groceries online and already have thousands of daily customers.
We're unique in that we've built a complete warehouse, logistics, and procurement platform with millions of daily transactions and lots of interesting challenges as automation becomes a more important. This has allowed us to scale and adapt quickly to market and business demands.
Our technology stack is primarily Python, Django, PostgreSQL, HAProxy, Salt, SCSS and Javascript + React.js where suitable. You can read more about our technology stack here: https://kolonial.no/om/teknologi/ (Norwegian only)
