|The real value of GDPR||Hungary: 2022-02-14 17:41|
Imagine all the people.
Imagine all those work hours.
Imagine all those billions of chopped trees, those billions of sheets of papers, those billions of cubic metres of ink, those billions of terabyte storage — all and which was justified by GDPR.
Imagine all the travelled keypress distances of the keyboards — we could have reached beyond the Milky Way.
During the course of March 2020, I was thinking to buy a new motorized vehicle. This vehicle was naturally a motorbike.Humoresque but real: even after all those years, I was longing for a motorcycle and not a car.
That's how it is, motorcycles have stolen the little part of my big heart, the big part of my little heart.
Sorting out the questions of installments, a leasing company and a contract came into light on the way, which short story short, through their requirements, over extra expenses ultimately made me thinking that I will have to give up my kidneys as well.
Ultimately they were open to write the contract only if — since I told them, I-oh-my will dare to venture into foreign countries with a motorcycle born for touring — one another (maybe two) witness will also be included, should I not pay the payful or would disappear with the bike into the mist of the untraceable.
Long story short: I chose not to agree with this anymore, thus the story closed.
I have no personal beef with the leasing company. It's clear that when they mostly deal with fleets of the companies, and generate their revenue through that, then a private person's leasing interest is more like an administrative hassle, a risk for years and not peanuts dipped in honey. They surely have their business model, they stick to those.
So, after all one could imagine that the story ended here. Few months later I sent them a message, because during the transaction they got to know absolutely — I repeat, absolutely — all my personal data, so I asked them to please be so kind and delete my personal bits from their system.
This was confirmed by the Data Protection Officer, with a scented PDF.
Years went by, on the 15th of December 2021 my inbox received a spam from this leasing company. You don't have to be too inteligent to put the frames together, the company still knows at least my email-address. One more email round, of which I learned three new things:
- that wasn't a spam, that was aninstructional operative message. Well, you could say that. Jack the surgeon was trying to save lives.
- they understood the removal request as I don't wish to receive marketing-nature emails
The third is the climax: according to the PTK 56. § 2. section (it's a Hungarian law in-place), they did not delete my personal data. The section and paragraph phrases this below meaning, with words by not as the observable generic sense, but also of the given diagonally parallel extended and not counter-processed, in the way to appended practical that to an as-of understandable definition, straight ahead in 180 degrees:A szolgáltató az e törvényben, valamint az annak felhatalmazásán alapuló jogszabályban foglalt kötelezettség teljesítése során birtokába jutott személyes adatokat az üzleti kapcsolat megszűnésétől, illetve az ügyleti megbízás teljesítésétől számított nyolc évig jogosult kezelni.The service provider by this law and based on its authoritative extended permissions, all the personal data to know until the end of the business relationship, also with the fulfillment of the matter is permitted to handle for eight years.
In English:the company is allowed to process the personal data for 8 more years, even if you only walked in front of their office.
Do you know what came into my mind? Exactly the same what you're also thinking now.
But dear oh dear, here we have the flaming sword.
Data Protection Officers stand firm and caring, blooming like colourful roses on sun-kissed fields.
Websites are dumping uncountable lines of copypasted helps.
Billions of, zero-time read then thrown away data protection papers are flying in the wind.
Therefore I contacted the Hungarian National Authority for Data Protection and Freedom of Information. I was curious to know the following:
Which basically means no limit and infinity.
- a company/Data Processor got to know all — I repeat, all — of my personal data
- during a case, which ultimately didn't even form into a contract
- the company/Data Processor did not fulfill my data removal request
- since according to PTK 56. § 2. section they have the right to handle my personal data for 8 more years
Long story short, even only silently but we agreed, referring to GDPR 17. article (3) section four rules apply, inclusive:b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In English: other EU or state laws nullify the rights of GDPR.
GDPR is a flaming sword!Except…when it's not.
Those circumstances in parallel also quite question the viability of GDPR, when for lawful tax and legal reasons too, companies are obliged to still keep all the client data for at least 1 year.
The ultra-ace was also put into the pack of cards, but I treat this separately: the mentioned PTK 56. § 2. section gives the right to anyone to collect and handle anyone's data in the name against money-laundering and financing terrorism.How could anyone, the leasing company question the official data verified, issued and confirmed by the tax authority is a mystery to me…or, well shakes beliefs at least.
You walked in front of the office, looked through the window. Nonetheless comparing the dates, it seems realistic that with this law the terrorism code-word wasn't used yet to legalize data-hoarding, being its dirty clothes detergent.
I realized on the way that I'm sending messages to the wrong address, the job of an authority is to apply laws and not to directly reflect on their whys. If I want to get more information about this law, allowing to process the data for 8 years, then I should talk with some department or member of the parliament in red velvet armchairs ornamented by lion heads.I haven't gotten to a decision yet on this — besides life is too short for democratic bureaucracy.
Naturally it's also a possibility that I misunderstood GDPR. That it is really worth something — especially when it would be actually needed.
But probably it was never meant to be more than a dinghy, which shouldn't be allowed even to touch water — lest to send out into the middle of the ocean.