I'm a bit sad that marketing words work on customers, but that's just how the world is apparently. :) Thanks for the reply and major congratulations and good luck!
Even 10 euro a month per user is nothing - their salary + insurance + taxes is probably 3-4 thousand euro at least, these 10 euro are a statistical error.
We use Office365, because we need Office anyway. We initially used a hosting provider email server, but it's not trivial to get the email DNS configuration right, and you risk going in spam. Even after we got our configuration right, we still had occasional "spam" issues.
There are too many concepts covered by the term e-voting.
I'm sure the OP wasn't claiming the concept discussed in your link is a universally accepted as secure. That's because someone who thinks any voting method that allows a votes to be bought and sold is of course in a state of sin. Internet voting is one of those methods.
Who knows, the OP may have also not been claiming purely electronic voting is a solved problem. Opinions may vary on that one, depending on how secure you think end-to-end audited voting is in practice. If all voters took the time to do the 60 second audit procedure it would of course be perfectly secure, but that's an unrealistic assumption.
Which leaves a hybrid system - were the voting is done electronically using an end-to-end auditable system and the initial count is done electronically, but each vote is also printed and manually placed in the ballot box by the voter in the normal manner so if something goes wrong they can be manually re-counted.
If that is what the OP is talking about then they are right - such a system is faster to use, gets the counting done near instantaneously, easier to use (particularly for voters with disabilities), is more accurate (because it can point out mistakes in the vote), is less wasteful (because how to vote cards and information on candidates can be presented electronically) and of course is more secure than the existing manual system. And yes, on that the experts agree pretty much universally.
The sad thing is I only know of one electronic voting system that did it that way, and it was only a trial. All other deployed e-voting systems I've seen were mostly windows desktop's enclosed in an impressive looking box.
Some things in this world are very hard to explain.
a) companies had 2 years go comply. Furthermore, the guidlines of the European Commission are clear that the process should be gradual - inspect, write recommendations, small fines, bigger fines. Nothing like "20 million in June"
b) the law had to cover a lot of usecases and in order to do that concisely, it may sound vague in places. I also don't like (developers never like uncertainty), but there's established practice already in regulators and courts about what is considered "adequate", "appropriate", etc. I agree it could've been better though.
c) that is happening already, e.g. ICO (the UK regulator) has a pretty good set of guidelines and examples. There's also the process of "prior consultation" where if you are not sure about something, you go ask your regulator for a decision
d) this is exactly what the "proportionate", "adequate", etc. are in for. If you are a small company with 2000 data records, you are not posing a high risk for the rights and freedoms of data subjects and so most of the things are not a strict requirement
a) The problem with this is that this practical guide was released in November 29, 2017. And this is unofficial. EU should have released a practical guide two years ago in my opinion.
If the process is gradual the law should reflect that.
d) The law should clearly define what is required for smaller companies and what is not. There's some disagreement if this is the case in GDPR articles too.
a) The regulators had 2 years to write final regulations. They didn't do that either. Apparently it's too much to ask to have eg final guidance more than 3 months before the implementation deadline.
aa) In actuality, the ICO has made it clear that grace periods are not part of their regulation strategy. See eg speeches by senior regulators.
b) hahaha go spend a pile of cash on lawyers (we're at roughly $50k) who are familiar with 30-ish countries privacy regulators. American companies are quite unlikely to have a lead regulator.
d) proportionate and adequate are words that create giant legal bills, because the gdpr naturally declines to spell out in any concrete fashion what those mean.
1. yes, you are correct, most of the features don't need to be implemented in code and having documented procedures would be sufficient (and that is pointed out in a number of places in the article). However, if you are not a small business or have a lot of users, the time needed to implement the features will be negligible compared to the amount of time needed for handling manual requests.
2. The "legitimate interest" legal basis is harder than it seems and many regulators warn against its overuse. Lawyers in my country are skeptical that regulators will accept legitimate interest in many cases, so "to be on the safe side" they recommend relying on consent. Again, as pointed out in the article, this is up to the legal team to decide.
3. The right to be forgotten is valid even under legitimate interest. Article 17(1)(c) is clear about that - whenever a user objects to their data being processed on the basis of legitimate interest. It is a bit hidden, as Article 17 refers to Article 21 which in turn refers to Article 6, but you can piece the whole scenario anyway.
4. About the best practices - agreed, they are not mandatory under the regulation (as pointed out in the article), but having them in place will demonstrate a higher level of compliance.
2. Yes, up to the legal team and what types of processing you do. If you do processing that the data subject would not expect you to do or that is not in their interest you have to consider this carefully. Maybe allowed or not under legitimate interest but you have to be careful and do a proper assessment. I believe, and I have heard many EU data protection lawyers state, that consent is a last resort option. Probably not universally shared but many ppl appears to think in that way. Also, remember that consent bypasses important principles, such as the necessity test present for all other legal basis.
3. I agree, both RTBF and SAR rights under legitimate interest but no absolute requirement to automate the process in any case. Implementing voluntarily data portability good practice which could tip the balance when using legitimate interest, see below.
4. Yes, and concerning legitimate interest, if you implement these best practice measures this could “tip the balance” in your favor if you read the WP29 legitimate interest opinion.
It seems like when using legitimate interest as a basis for processing that _what you do_ with the data is much more important than what it is you’re collecting in the first place.
When registering an account with an online service, you will probably have to give up your email address. The legitimate interest is to be able to let you log in again and to send password reset emails, or other account related notifications like “we have detected a suspicious login from another continent”.
If you want to stick someone on your marketing email list, asking for consent is a much better option! Unless the context is extremely clear (the email field is specifically for signing up for the email list), asking for consent seems safer.
But in both cases, the basis is about the processing of the data, not the data itself.
Yes, this is important - GDPR is mainly about how you are allowed to use data, ie for what purposes you are processing the data (although collection and storage is also “processing” as a side point)
You would not use legitimate interests to cover off your processing of data in connection with letting a user log in to your site, if it is a requirement of using the service that you are logged in, for example to authenticate who you are. The correct processing basis here would be to process data to provide a service, not under legitimate interests.
If you were processing someone's data to, for example, ensure the safety of your network/detect unauthorised login attempts, then that would likely fall under legitimate interests, because it is processing that is not necessary to provide the underlying service, but is in the users' interests to ensure the protection of their personal data.
Regarding your first statement: It depends if you have a valid contract with the user and the data processing is sufficiently related to the performance of that contract.
