Monday, September 24, 2018

NY Times Sues FCC for Hiding Evidence of Russian Role in Ending Net Neutrality

(AP Photo/Jacquelyn Martin)

On Thursday,  the New York Times has filed a lawsuit that alleges that the Federal Communications Commission has unlawfully hid data concerning its system for gathering public input about its unpopular plan to kill net neutrality amid signs of Russian manipulation of the comment procedure.

As the Times attempted to investigate possible influence by Russia after a large number of comments were linked to Russian emails, the newspaper submitted numerous Freedom of Information Act requests which were all turned down bu the FCC.

The FCC voted last year to end net neutrality, upending the American internet system. The change allows internet service providers to block, slow down, or charge extra for certain content.  As many as 2 million comments were fraudulently submitted in other people’s names without their knowledge, and the system was overrun with bots.

Saturday, September 22, 2018

Europol: Ransomware Biggest Cyberthreat in 2018, State-Sponsored Cyberattacks on the Rise

Europol has released its 2018 Internet Organised Crime Threat Assessment (IOCTA) report. The key findings are:

Ransomware retains its dominance
This is expected to continue in the near future, even though the growth of ransomware is beginning to slow. In addition to attacks by financially motivated criminals, there is an increase in state-sponsored ransomware attacks. Mobile malware has not been extensively reported in 2017, but this has been identified as an anticipated future threat.

DDoS continues to plague public and private organisations
Distributed-Denial-of-Service (DDoS) attacks are used not only for financial benefits but for ideological, political or purely malicious reason. This type of attack is not only one of the most frequent (only second to malware in 2017); it is also becoming more accessible, low-cost and low-risk.

Production of CSEM continues
The amount of detected online Child Sexual Exploitation Material (CSEM), including Self-Generated Explicit Material (SGEM), continues to increase. Although most CSEM is still shared through P2P platforms, more extreme material is increasingly found on the Darknet.

Friday, September 21, 2018

Airbnb to Comply with EU Demands to Change Terms & Improve Price Transparency

On September 20, 2018 the European Commission has issued a press release stating that Airbnb has committed to complying with the EU consumer authorities' demands presented to the company in July. 

Specifically, Airbnb has agreed by the end of 2018 to make changes to their terms and conditions and improve price transparency by:

- presenting the total price of bookings, including extra fees, such as service and cleaning charges. When it is not possible to calculate the final price in advance, they have committed to clearly informing the consumer that additional fees might apply.

- clearly identifying whether an offer is made by a private host or by a professional, as the consumer protection rules differ for each.

-  making it clear that consumers can use all the legal remedies available and in particular their right to sue a host in case of personal harm or other damages. The proceedings can be brought against Airbnb before the courts of user's country of residence.
- informing consumers when the company decides to terminate a contract or remove content and will offer to consumers the right to appeal and to compensation if appropriate.

EU Warns FB to Change "Misleading Terms of Service"

The EU threatens sanctions against FB if it fails to better spell out to consumers how their data is being used. Věra Jourová, the European Commissioner for Justice, Consumers and Gender Equality,  on Thursday warned FB that she will call for sanctions if it fails to change its “misleading terms of service” by the end of the year. “I am becoming rather impatient. We have been in dialogue with Facebook almost two years... I want to see not progress—that is not enough for me. I want to see results.”

The Commission flagged the following issues with the FB's Terms:

- insufficiently explicit about how the platform monetizes users’ data. E.g., directing users via hyperlinks to Facebook’s “data policy” (which has more details) is not clear enough for EU consumers.

- granting the company a perpetual licence to user generated content even after a user quits Facebook. I don't think this is true, though. There is no perpetual license to user generated content in FB Terms anymore. Sec. 3 of the Terms states that, "[y]ou own the content you create and share on Facebook...  and nothing in these Terms takes away the rights you have to your own content." FB does grant itself a limited, non-exclusive license to user content. "[W]hen you share, post, or upload content that is covered by intellectual property rights (like photos or videos)... you grant us a non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform." However, users can terminate this license to FB by deleting content. "You can end this license any time by deleting your content or account." So, there is no perpetual liecnse to user generated content.

- not being clear on its obligations to remove user generated content and/or suspend or terminate an account.

- lack of an appeal option for consumers in some cases.

- FB can unilaterally change its terms of service. The Commission states that this is contrary to EU consumer legislation which identifies as unfair terms that enable “the seller or supplier to alter the terms of the contract unilaterally without a valid reason which is specified in the contract”.

Friday, August 10, 2018

Summary: US-Russia Sanctions Law

U.S. State Dept. has announced new sanctions against Russia. U.S. claims Russia is behind the nerve-agent attack against a former Russian spy in the U.K. in March. The Kremlin has repeatedly denied involvement. The ruble fell 5% against the dollar on Thursday. Stocks in Russia plunged as much as 9%, led by state banks and national airline, Aeroflot, that risks losing access to U.S. markets if the sanctions escalate.

The latest sanctions ban any attempts by an American company to obtain an export license to sell anything with a potential national security purpose (gas turbine engines, electronics, integrated circuits and testing and calibration equipment). While the list of prohibited items is elaborate, the actual amount of exports affected by the latest sanctions is small because the Obama administration had already banned exports to Russia that could have military purposes. However, the law requires stricter measures (listed below) if Russia fails to prove that it is no longer using chemical weapons.

The sanctions are mandated by the Chemical and Biological Weapons Control and Warfare Elimination Act of 1991, a U.S. law that requires action over the use of chemical and biological weapons. The law requires the U.S. President to impose certain sanctions against foreign persons if he determines that they knowingly contributed to the efforts of a country to acquire, use, or stockpile chemical weapons.

The measures announced Wednesday are the first tranche of sanctions mandated by U.S. law. A second tranche of sanctions would take effect within three months unless U.S. President certifies to Congress that Russia has met three conditions:

1) ceasing the use of chemical and biological weapons;

2) credibly assuring the U.S. that it won’t use such weapons in the future; and

3) submitting to inspections by international observers to ensure compliance.

If Russia does not comply with either of the three aforementioned requirements, U.S. President is required to impose at least three of six types of additional sanctions (although he has discretion over their severity):

1) opposing any loans or other assistance to Russia by international-development banks;

2) barring U.S. banks from issuing loans or extending credit to the Russian government;

3) prohibiting exports of goods and technology to Russia;

4) restricting imports of Russian goods;

5) downgrading or suspending diplomatic relations with Russia; and

6) termination of air carrier landing rights.

A first wave of Western sanctions against Russia since its annexation of Crimea in 2014 have wiped out half of the ruble’s value, reduced investment in the energy sector and crippled national aluminum giant United Co. Rusal PLC.

Monday, July 23, 2018

'Meddling' Russian Firm Relies on Trump Nominee to Get the Indictment Dismissed

A Russian company indicted by special counsel Robert Mueller for meddling in the 2016 election is relying on an opinion by Trump Supreme Court nominee Brett Kavanaugh to get the indictment dismissed.

Concord Management and Consulting was accused of paying $1.25 million a month to the Internet Research Agency, a Russian "troll farm," to sponsor divisive political ads on social media. Concord has filed a motion to dismiss, claiming its advocacy is consistent with the decision of Trump Supreme Court nominee Brett Kavanaugh.

Specifically, Kavanaugh’s 2011 decision in Bluman v. Federal Election Commission, barred foreigners from supporting or opposing particular candidates, but did not restrict advocacy on broader political issues. Kavanaugh also said that a requirement that a defendant act “willfully” before imposition of criminal penalties “will require proof of the defendant’s knowledge of the law.

Accordingly, Concord argues that, “Foreign nationals are not barred from issue advocacy through political speech such as what is described in the indictment—they are only precluded from willfully making expenditures that expressly advocate the election or defeat of a particular candidate.”

Tuesday, July 17, 2018

US Legislators Urge FB and Google to Resist Vietnam's New Cybersecurity Law

Today, U.S. Senators Rubio (R-FL), Menendez (D-NJ), and Wyden (D-OR) joined a bipartisan group of seventeen U.S. Representatives (members of the Vietnam Caucus), in signing a letter to the CEOs of Facebook and Google urging them to resist compliance with Vietnam's new cybersecurity law. The Vietnamese law takes effect on Jan. 1, 2019. It gives the ruling Communist Party more tools to crackdown on dissent by requiring Facebook, Google and other global technology firms to store locally personal data on users in Vietnam and open offices there. Furthermore, tech companies will have to remove content pursuant to government request within 24 hours.

“It is already being reported that your companies have removed video and accounts after requests by the Vietnamese government, including accounts of users in California and Germany,” the letter from US Congress reads. “The censorship of the accounts of Vietnamese-Americans is particularly concerning.”

Local data centers and offices could make it easier for the authorities to seize user's data and expose local employees to the threat of arrest. Vietnam's Communist Party has jailed dissenters.

The letter from Congress asks FB and Google to refuse to store data in Vietnam, to publish the number of requests they receive to remove content, to be transparent about any censorship and to confidentially inform US Congress & Senate of all requests for user data from the Vietnamese government.

Sunday, July 15, 2018

How Easily the Russians Hacked Clinton and the DNC

On Friday, Mueller, the special counsel investigating Russian interference in the 2016 election, issued an indictment of 12 Russian intelligence officers in the hacking of the Democratic National Committee and the Clinton presidential campaign. After having read the indictment, I was amazed at how easy it was for the Russians to allegedly carry out the hacks. Turns out much of the damage was done by a simple spearphishing email sent from a large Russian email service under the supervision of intelligence colonels and captains with screennames like “blablabla1234565” and “Kate S. Milton.”

The 29-page indictment that was published on Friday is the most detailed accusation by the American government to date of the Russian government’s interference in the 2016 election. The U.S. media presents the Russian operation as a complex web of sophisticated measures and the indictment as a measure that will deter others. However, after reading it, I came to the exact opposite conclusions. I had no idea how easy it was to hack a presidential campaign and I think more hackers might be encouraged to try.

While there were, indeed, some sophisticated techniques employed in the hack, most of the operation was pretty straightforward and could have been carried out by any group with even the basic IT knowledge. For those who don’t want to or can’t read the whole indictment, I have summarized the timeline of events below.

Spearphishing Operations 

The hacking operations began with a simple spearphishing/spoofing email to the chairman of the Clinton campaign in March 2016. The email was sent from a Russia-based email account that was spoofed to appear to be from Google. The Russians used  a URL-shortening service to mask a link contained in the spearphishing email, which directed the recipient to a GRU-created website. The link looked like the email was a security notification from Google (a technique known as “spoofing”), instructing the user to change his password by clicking the embedded link. Those instructions were followed and two days later the Russians stole the contents of the chairman’s email account, which consisted of over 50,000 emails.

In April 2016, the Conspirators created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. In the spearphishing emails there was a link purporting to direct the recipient to a document titled “hillaryclinton—favorable-rating.xlsx.” In fact, this link directed the recipients’ computers to a GRU—created website.
Spearphishing operations continued into the summer of 2016. The hackers successfully successfully stole email credentials and thousands of emails from numerous individuals affiliated with the Clinton Campaign.

Hacking into the DCCC & DNC Network

In March 2016, the Conspirators, in addition to their spearphishing , efforts, researched the DCCC and DNC computer networks to identify technical specifications and vulnerabilities. For example, they ran a technical query for the DNC’s internet protocol configurations to identify connected devices.

Within days, the Conspirators hacked into the DCCC computer network. Once they gained access, they installed and managed different types of malware to explore the DCCC network and steal data. The Conspirators installed multiple versions of their X-Agent malware on at least ten DCCC computers, which allowed them to monitor individual employees’ computer activity, steal passwords, and maintain access to the DCCC network.  X—Agent had keylog and screenshot functions.  DCCC employees’ keystrokes and screenshots from their computer screens were regularly transmitted to a GRU-leased server located in Arizona through encrypted channels via other GRU malware, known as “X—Tunnel.”

Hacking Discovered

In May 2016, both the DCCC and DNC became aware that they had been hacked and hired a security company to identify the extent of the intrusions. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain, remained on the DNC network until around October 2016.

Stolen Documents Released

To release the stolen documents, the Conspirators anonymously registered the domain and paid for it with bitcoin. The site received over a million views before it was shut down. They also created a corresponding FB Page and Twitter accounts.
On June 14, 2016, the DNC publicly announced that it had been hacked by Russian government actors. In response, the Conspirators created the online persona Guccifer 2,0 and falsely claimed to be a lone Romanian hacker to undermine the allegations of Russian involvement.

Guccifer 2.0 published its first post on a blog site created through WordPress. Titled “DNC’s sewers hacked by a lone hacker,” the post stated:
Worldwide known cyber security company  announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups. I’m very pleased the company appreciated my skills so highly») [. . .]  Fuck the Illuminati and their conspiracies!!!!!!!!! F[***] [Companyl]!!!!!!!!!

Guccifer 2.0 kept releasing documents through WordPress, sending them to lobbyists and reporters.  In August 2016, Guccifer 2.0 received a request for stolen documents from a candidate for the US. Congress.  Guccifer 2.0 sent the candidate stolen documents related to the candidate’s opponent.

Wednesday, May 9, 2018

GDPR Self-Assessment Checklist for Controllers

This article is intended for most of my US/international clients that are small e-commerce businesses that do not want to shut off their EU clients completely b/c of GDPR, massive intimidating e-privacy regulations about to come in effect in EU. Clients that only collect limited amount of non-sensitive info (no health, children, criminal info, life and death situations, etc.) from EU residents. Clients that have read about scary exorbitant fines and hundreds of pages that are basically synonyms of “be adequate,” “be reasonable,” “risk mitigation must be proportionate to the level of [undefined] threat” but without much concrete guidance.

Here is some guidance. Do not be scared. Be informed as to where you stand in the GDPR compliance. Then, make an informed decision as to whether GDPR compliance is worth the extra legal costs/efforts, or you're better off investing in software that automatically blocks EU users altogether. For many such small businesses that are still not sure, I have abridged the Information Commissioner Office’s basic requirements below.

Specifically, I have boiled down the basic issues you have to address. That does not mean that you have to write volumes of convoluted policies about every little aspect of the points below. The exact opposite is true. GDPR requires you to be concise, even though the EU regulators have themselves written hundreds of pages about the synonyms of the words like “concise,” “reasonable,” and “adequate” without offering much of concrete guidance. GDPR is untested but it does require you to think about, and have answers to, the following issues. The answers do not have to be as voluminous and convoluted as what the regulators have written themselves but, if you want any EU customers/subscribers, you do have to have the “concise, easy to understand” answers to the following questions.

The ICO’s compliance self-assessment questionnaire is broken down into four parts: 1) Lawful/Fair Basis; 2) Users’ Rights; 3) Accountability; and 4) Data Security & International Transfers. Take a look at the basic summary of those four parts.

Part 1: Lawful/Fair Basis for Collecting Personal Info

Have you mapped out data flows? Anybody with good understanding of your business should be able to answer where do you get the EU data from, where is it going to, for what purposes and on what legal grounds.  Mapping out your EU data flow will enable you to predict any legal/security risks.

Document your findings. If you have less than 250 employees, you only need to keep these records for processing activities that: * are not occasional; * could result in a risk to the rights and freedoms of individuals; or * involve the processing of special categories of data or criminal conviction and offence data.

Can you show documented lawful bases for processing EU personal data? There are six lawful bases: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For most of my clients (my primary focus in this article), point (b) will give you a lawful basis for processing. E.g, you run a SaaS platform, or you sell to customers some of whom are in the EU, and you need their names and payment details in order to fulfill their subscriptions/orders. Processing their names and payment details for the purposes of fulfillment of their orders gives you lawful basis under GDPR. So, you can move on to reading the next sections.

How do you handle consent, if you need one?  EU standard for consent is much higher than that in the US but the good news is that you do not need EU consent if you have lawful basis described in the paragraph above. If you do not have lawful bases described above, then you will need EU users’ (reaffirmed) unambiguous consent to the exact specific usages of their private info. Not pre-ticked opt-in boxes, not some provisions buried in your Privacy Policy along the lines of “your visits to our Platform constitute your agreement to using your personal info for marketing purposes, advertising and sharing it with our affiliates.” No. Under GDPR, if you use EU residents’ personal info for such, and similar, extended purposes, then the privacy notice has to be in their faces with things like an un-ticked box, not any pre-selected options to opt-in. Keep records of what an individual has consented to.

Do you have systems to record and manage ongoing consent? Most of my US clients don’t need consent but, in case you do, keep in mind that your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals. Renew consent if anything changes. If your consent does not meet the high GDPR standards, then you’ll need to renew it. That’s why you’ve been receiving numerous notices from various of your online subscriptions reaffirming their “commitment” to your privacy.

Part 2: Users’ GDPR Rights

You have to provide GDPR-specific privacy information to individuals in the EU. I have covered a way to do it in the previous post about GDRP-compliant Privacy Policy.

Part 3: Accountability

Do you have an “appropriate” data protection policy? “Appropriate” means it is commensurate to the risks involved. For most of my clients, who do not deal with large volumes of high-risk EU information, that means they do not have to have large volumes of data protection policies. However, monitor your compliance with data protection principles, security protocols and policies. That’s common sense in the US and the EU.

Are your processor contracts adequate? If you use third party (e.g. PayPal) to process EU users’ personal info, you are still liable for what happens to that info. To protect yourself, you need to have a contract that provides “sufficient guarantees” to protect EU users’ privacy right. Processors must only act on your documented instructions.

Does your management/staff understand the GDPR risks involved? At least have them read this article.

Have you conducted a Data Protection Impact Assessment (DPIA), if required? This should be a whole separate blog post but the basics of the DPIA are that you have to do it if you conduct any type of processing which is “likely to result in a high risk”. E.g., use systematic and extensive profiling with significant effects; process special category or criminal offence data on a large scale; systematically monitor publicly accessible places on a large scale; use new technologies; use profiling or special category data to decide on access to services; profile individuals on a large scale; process biometric/genetic data; match data or combine datasets from different sources; collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’); track individuals’ location or behavior; profile children or target marketing or online services at them; or process data that might endanger the individual’s physical health or safety in the event of a security breach.

Have you appointed a Data Protection Officer (DPO)? You must appoint a DPO if you:
- are a public authority (except for courts acting in the judicial capacity);
- carry out large scale regular and systematic monitoring of individuals (e.g. online behavior tracking);
- or carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Even if you are not required to appoint a DPO, it ay be a good idea to do so. It will make you look more professional and ,besides, even if you don’t appoint an official DPO, there still has to be somebody ready to respond to regulator’s privacy-related questions anyway. The DPO should be “independent” and report to the highest management level.

Do the decision makers and key people in your business “demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business”? At the minimum, have them read this article. GDPR requires your key personnel to be aware of the requirements under the GDPR.

Part 4: Data Security & International Transfers

Do you have “appropriate security measures” in place? “Appropriate” means adequate for the level of risk and sensitivity of the information you hold. ICO states that “[t]he measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have. A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.”

Are you aware of your obligation to inform users of personal data breaches?  You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.

International transfers. This also deserves a separate blog post but the GDPR basic requirement is that you have to ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area. You may only transfer personal data outside of the EU if you comply with the conditions for transfer set out in Chapter 5 of the GDPR.

Tuesday, May 8, 2018

GDPR-Compliant Privacy Policy (Example)

1. GDPR: don’t be scared
There is no reason to fear GDPR for US/international businesses that only process limited amounts of non-sensitive personal information (e.g., no medical info) from EU. For example, let’s say you operate a website out of US and you have some EU subscribers, or you sell products to the EU. For those purposes, you collect users’ names, emails and payment details. You don’t sell otherwise disclose their info to any third parties. If that describes your business, then this article is to help you understand what is required and how to comply without unnecessary complexities.

2. What is required?
If you collect and use personal data from any residents of EU, that makes you a “controller” of personal information under the GDPR. Its Articles 13 and 14 require you to inform “data subjects” (users) of the following:
the purpose and legal basis for processing;
the data controller’s identity and contact details; 
recipients, or categories of recipients of the personal data;
how long the personal data will be retained and if no time frame can be provided how the retention period will be calculated;
if any automated decision making, for example, profiling, is being carried out and information about such automated decision making; and
whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data.
the data subject rights.

3. How to comply?
You should address the above points in your Privacy Policy in a concise, easy to understand language. When you read hundreds of pages of regulations, guidelines and instructions about GDPR compliance, while drowning in the sea of privacy update notices, that can make you mistakenly assume that you also need to implement numerous convoluted policies and then send everybody notices about it. No. In fact the GDPR states the exact opposite – the privacy information you provide has to be concise. So, let’s go through the points listed in the above paragraph.
The purpose and legal basis for processing. If you only use EU personal info to fulfill a contract with your EU subscriber/buyer, that constitutes legal basis under Art. 6.
Your identity, contact details, recipients of the personal data. All of that should already be in your Privacy Policy regardless of GDPR.
How long the personal data will be retained. This has to be reasonable depending on the purposes for which you collect the data and how long you will need it for after the business relationship with the user is terminated.
If any automated decision making, for example, profiling, is being carried out and information about such automated decision making. This doesn’t apply to most of my clients described in paragraph 1, so they can address this by stating smth like, “as a responsible business, we do not rely on any automated decision making, such as profiling.”
Whether the personal data is processed outside the European Economic Area (EEA) and what protections are in place to safeguard the personal data. One of the most important points of the GDPR that ties directly to the next requirement about informing the EU data subjects about their rights. EU grants more rights to its residents’ personal info than US, and only allows for the transfer of EU personal info outside the EEA if adequate protections of those rights are in place. Procedures you can have “in place to safeguard the personal data” can be using SSL, storing data on a password-protected server accessible only by administrator, and, most importantly, the procedures designed to protect the GDPR-specific rights below.
So, GDPR requires you to inform EU users about their GDPR rights and your procedures to secure them. The eight main GDPR rights are: 1) to be informed; 2) to access; 3) to rectification; 4) to erasure; 5) to restrict processing; 6) to data portability; 7) to object; and 8) relating to automated decision-making and profiling.  GDPR requires you to be concise, especially if you business is like most of my clients that I’ve described in the first paragraph of this article. So, in the next paragraph I will give sample language that can be inserted in your Privacy Policy for GDPR compliance purposes. Of course, you will have to actually comply with what your Privacy Policy states; otherwise, it won’t protect you.

4. Sample GDPR-compliance Privacy Policy verbiage

EU Users’ Rights. 
This section of our Privacy Policy applies to the users of our platform in EU. We would like to inform you about your GDPR rights and how we safeguard them.

a. Your GDPR rights to be informed, to access, rectify, erase or restrict the processing of your personal information. Our Privacy Policy enumerates the types of personal (and other) data we collect about our users in Section ___ above. You have the right to obtain free information about what personal data we have obtained about you, where it is stored, for how long, for what purposes it is used, to whom it was disclosed. You have the right to have us, without undue delay, rectify of inaccurate personal data concerning you. That means you can request we change your personal data in our records, or have you incomplete personal data completed. You have the “right to be forgotten,” i.e. to have us delete your personal information, without undue delay, if the data is no longer necessary in relation to the purposes for which it was collected. However, GDPR gives us the right to refuse erasure if we can demonstrate compelling legitimate grounds for keeping it.

b. GDPR gives you the right to restrict processing if any of the following applies:

i. If you contest the accuracy of your personal data, we will restrict processing it for a period enabling us to verify its accuracy.
ii. The processing is unlawful and you oppose its erasure and request instead the restriction of its use.
iii. We no longer need your personal data for the purposes of the processing, but you require us to restrict processing for the establishment, exercise or defence of legal claims.
iv. You have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether our legitimate grounds override yours.

c. Right to data portability. Upon request, we will provide you your personal data in our possession, in a structured, commonly used and machine-readable format. You have the right to transmit that data to another controller if doing so does not adversely affect the rights and freedoms of others.

d. Right to object. You can object, on grounds relating your particular situation, at any time, to processing of your personal information, if based on point (e) or (f) of Article 6(1) of the GDPR.  We will then have to stop processing, unless we can demonstrate compelling legitimate grounds for the processing. If you object to the processing for direct marketing purposes, we will have to stop processing for these purposes.

e. Right to withdraw consent. GDPR grants you the right to withdraw your erlier given consent, if any, to processing of your personal data at any time.

f. Rights related to automated decision making. As a responsible business, we do not rely on any automated decision making, such as profiling.

How to exercise your GDPR rights?

If you need to contact us in order to exercise or discuss any of your GDPR rights under this Privacy Policy, you can contact our Data Protection Officer at:  [Name, contact info]

5. Conclusion
It can be possible to comply with GDPR without undue burden.