DEV Community

Discussion on: What is required or should be done, according to PDPA / GDPR?

Collapse
 
lexlohr profile image
Alex Lohr

Actually, the question is: what mustn't be done. You may not compromise the privacy of the user or make him identifyable to yourself or a third party, either by name or a unique property except if he explicitly gives his consent.

How far you allow the user to give a detailed consent is your own choice (the best way to handle this IMO is [No consent*] [Fine-tuned consent] [Full consent]), but at least you must provide sufficient data on whom the information is shared with if third parties are involved, otherwise a conscious consent to share the information cannot be given.

* if your page or web app requires a log in, you should obviously exclude that from the no consent rule, but make it obvious that the choice for the user is either to allow for the login our leave your service.