| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 May 2020 13:50:32 +0200 From: Thierry Zoller <thierry@...ler.lu> To: fulldisclosure@...lists.org Subject: [FD] [CDPWE-0001] - RocketReach Adapting the Mechanics of Vulnerability Disclosure to an area where Privacy Rights need to be scrutinized and where transparency becomes paramount. ________________________________________________________________________ How to effectively evade the GDPR and the reach of the DPA (CDPWE-0001) ________________________________________________________________________ Company : Rocketreach Status : DPA does not pursue any further CDPWE : CDPWE-0001 - Does not designate a Representative in the European Union URL : https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html Vulnerability Disclosure Policy: https://caravelahq.com/b/policy/20949 I. Background ---------------- RocketReach is selling access to millions of European Data Subjects without recognising it is a Data Controller, without a representative in the EU (ART.27) and with a questionable legal basis for processing. II. Impact ---------------------------- Companies around the World can Process and sell Information about European data subjects without that the DPA sanctions them for doing so by simply not designating a EU Representative accourding to Art.27 of the GDPR. Note: That representative would be held accountable, without it the CNPD (LUX DPA) argues that their is no way for them to proceed. https://www.privacy-regulation.eu/en/article-27-representatives-of-controllers-or-processors-not-established-in-the-union-GDPR.htm III. Advisory ---------------------------- If your data is also included in Rocketreach (just search on their website), then file a complain with your local DPA (it's usually very easy and fast) . V. Timeline ---------------------------- 5th of April 2019 - Issued a DSAR to RocketReach 5th of April 2019 - Rocketreach responds by deleteing my data 5th of April 2019 - File a complain via my national DPA (CNPD) 6th of March 2020 - The CNPD agrees with my position but claims to not be able to pursue further. See: https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists