This post is also available in: Deutsch (German)
Translated with www.DeepL.com/Translator
You are allowed to operate 50 virtual switches and thus decide on all possible forms of processing (see MC 9). That would mean that one would inquire exactly about the associated software parts and also still understand what happens! Nobody can and will do this (see MC 4). Even the provider will not always know exactly what consequences the switching on/off of a service actually has. Below the line this means the following: Either I let myself in with the offerer or I let it remain! Fortunately, there are alternatives to the known data kraken in many areas. Nevertheless it pushes the people out of convenience (and from miserliness) again and again to services, which have the largest market share. These providers systematically use their market power. The current tendency to offer all software only as a cloud version further contributes to the fact that the individual user has practically no power (control = information governance) over his data. The only alternative is either to install and operate everything locally, or to look for local providers who are trustworthy and with whom they can negotiate a reasonable contract (Don’t forget: All business is still local). But even for the small provider things are getting hairy now. Usually there is a basic contract for a service offered by the provider (contractor) (“we offer CRM in the cloud”).
The customer, here a company, orders this offer on the basis of the basic contract. At the same time, the provider asks the customer to sign an order processing contract describing the contractor’s handling of the personal data (because the sense and purpose of CRM might be to collect personal data, among other things). Here the GDPR is once again playing into the hands of the big oligopolies. If you look at the whole thing from the point of view of a small software provider, then you also see the absurdity that the right of consent creates. According to the GDPR, it is theoretically possible to withdraw consent for processing at any time. What does this mean in a practical context? A data subject (in the case described above, any employee of a customer, a potential customer, etc.) could therefore insist that his data be removed from an existing system and deleted. In fact, the practice is different. In 80% of all cases there are legal storage obligations which prevent the revocation (even from the data protection law itself, see MC 8). It is completely absurd to demand that subcontractors may be involved if everyone concerned agrees. Theoretically the customer would have to agree each time in the apron
Article by Michael Erner (M100, in Deutsch):Die Wahrheit über Einverständniserklärungen