Since GDPR every interaction with public administration, healthcare, and employer within EU results with additional form or two "oh that's just a GDPR form, you have to sign it". I imply they are all malicious as well?
In fact, yes. It’s malicious in the vast majority of cases, with behavior patterns quite akin to cons where you are made into signing something under time pressure and are actively discouraged from asking questions.
I had maybe one occasion where upon asking questions about how long they store my information and who exactly they give it to, I actually got answers and learned something. It was a dentist office, and by that time I had been visiting them so often that we were practically friends.
The rest of the time (mostly in hotels), they didn’t like it very much that I took time to read through their GDPR forms and actively withdraw my consent from optional things, of which there was like 85%, and some dealt with sharing my data with undisclosed marketing partners. Some of this, especially the undisclosed bit, I think, is a no-no under GDPR, although a lawyer may promise you a way to weasel out of trouble.
Note that when you deal with public administration, depending on the country, they may have you sign something to the effect that if they fine you and you don’t pay, your data will go to a debt collection firm, at which point you may assume it goes to all of them, because they trade debts between themselves, too. And of course, those share data with further companies according to agreements between themselves to which you are not a party, so I’m wondering if there is/should be a way to curb them…
Yes, because there are specific exceptions in the GDPR that allow data processing and storage in many of these cases. However, managers are pissed off by the law, or just ignorant, and they make you sign a document that has no legal value.
Heck, many documents that I saw while interacting with P.A. in my country are lacking the basics, such as "what are you doing with the data".
One clinic once made me sign a document where they said that I received a copy of the privacy policy (which was not given to me). I politely asked for the privacy policy, and they sent me the entire GDPR regulation PDF. I spent one hour explaining to them that they need to fix it.
