Comment by parable
4 hours ago
Companies can and do get away with arguing that they have a "lawful basis" to collect whatever data they'd like. It's unfortunate.
IANAL, but the law seems a bit vague to me, and it appears that companies use that vagueness to their advantage. Maybe I'm just not articulating my arguments correctly.
Even if you have a lawful basis for collecting data, in theory the GDPR is in theory restricting you to only use it for that basis, delete it as soon as you don't need it anymore, have a plan on how to store and handle it, and requires you to follow best practices when doing so. Backups, encryption, regularly testing the technical and organizational measures that protect the data are in theory all mandated. Also, on the topic of this post, notification of data breaches when they occur
But enforcement is just laughable. Even on easy to observe issues like which data is collected