[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <51893251-99b6-35e2-e056-3011b0411760@zoller.lu>
Date: Fri, 29 May 2020 13:50:32 +0200
From: Thierry Zoller <thierry@...ler.lu>
To: fulldisclosure@...lists.org
Subject: [FD] [CDPWE-0001] - RocketReach
Adapting the Mechanics of Vulnerability Disclosure to an area where
Privacy Rights need to be scrutinized and where transparency becomes
paramount.
________________________________________________________________________
How to effectively evade the GDPR and the reach of the DPA (CDPWE-0001)
________________________________________________________________________
Company : Rocketreach
Status : DPA does not pursue any further
CDPWE : CDPWE-0001 - Does not designate a Representative in the
European Union
URL :
https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html
Vulnerability Disclosure Policy: https://caravelahq.com/b/policy/20949
I. Background
----------------
RocketReach is selling access to millions of European Data Subjects
without recognising it is a Data Controller, without a representative
in the EU (ART.27) and with a questionable legal basis for processing.
II. Impact
----------------------------
Companies around the World can Process and sell Information about
European data subjects without that the DPA sanctions them for doing
so by simply not designating a EU Representative accourding to Art.27 of
the GDPR.
Note: That representative would be held accountable, without it the CNPD
(LUX DPA) argues that their is no way for them to proceed.
https://www.privacy-regulation.eu/en/article-27-representatives-of-controllers-or-processors-not-established-in-the-union-GDPR.htm
III. Advisory
----------------------------
If your data is also included in Rocketreach (just search on their
website), then file a complain with your local DPA (it's usually very
easy and fast) .
V. Timeline
----------------------------
5th of April 2019 - Issued a DSAR to RocketReach
5th of April 2019 - Rocketreach responds by deleteing my data
5th of April 2019 - File a complain via my national DPA (CNPD)
6th of March 2020 - The CNPD agrees with my position but claims to not
be able to pursue further.
See:
https://blog.zoller.lu/2020/05/how-to-effectively-evade-gdpr-and-reach.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists