Interesting. What are your obligations under GDPR in that case? It's not like a packing machine can request data deletion.

Eh?

The GDPR is there to protect your personal/sensitive data, or data that can personally identify you. If has nothing whatsoever to do with data capture from industrial machinary.

I remain astounded how ignorant some people are of basic GDPR principle: protecting your _personal_ data.

> The trouble started when lawyers correctly noticed that these are incidentally capable surveillance systems even though that isn't how we use them or what they were designed for.

Many systems were not explicitly designed for surveillance, and are. Because many systems collect too much data to begin with.

Hence the problem: people who collect too much data claim that GDPR is complicated, complex, convoluted, impossible to comply with... instead of changing what data they collect, and how.

Additionally, people confuse the complexity of human endeavours with the complexity of the law. GDPR itself is neither complex nor complicated. It doesn't try to carve out exceptions, rules, and regulations for every possible activity humans may attempt. Then it would become impossible to understand or comply with.

As is, it has enough carveouts for industries which require more data than strictly necessary, called "legitimate interest" (which still doesn't allow you to just use this data willy-nilly). E.g. banks collect significantly more data about customers than strictly necessary (because KYC, fraud, security etc.), and store that data for significantly longer amount of time than allowed by privacy-related laws (because they are governed by bank laws of respective countries). It doesn'tmean they can sell that data or spy on users.

Same here. It's not on the law to tell you exactly how to operate your "industrial-scale operation". It's on you to fix your shit, stop collecting more data than necessary, have data protection in place, delete data after a reasonable time, anonymize data etc.