There are gaps in the law. If data are to be properly protected in the current deficient framework, the trust that must be placed in the company becomes a particularly important factor. We should therefore stay away from less trustworthy companies, obviously.
