Mois : octobre 2021

Re-use of personal data in the context of the GDPR

Posted on by !%$789Kl

 

I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So first of all, what is personal data in the sense of the GDPR? Because many people don’t really know what personal data is and think that it is limited to names, surnames and addresses. But don’t worry, Article 4 gives the official definition of personal data.

 

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

The European Commission website provides a non-exhaustive list with examples of personal data.

 

  • A first and last name.
  • A personal address.
  • An e-mail address such as personalname@company.
  • An identity card number.
  • Location data (e.g. location data function on a mobile phone)*.
  • An Internet Protocol (IP) address.
  • A cookie identifier*.
  • Your phone’s advertising ID.
  • Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

 

This same site also gives a small list, also not exhaustive, of what is not personal data.

 

  • A business registration number.
  • An email address as info@company.com.
  • Anonymised data.

 

Having settled this, let‘s get back to the problem at hand: “I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So what elements do we have to answer:

 

  • Collection of personal data.
  • Collected before the GDPR, i.e. before May 2018
  • Collected for a specific purpose.

 

Whereas the GDPR requires a legal basis for the processing of personal data.
Whereas the GDPR requires a time limit for the retention period.
Whereas the processing has received consent for a specific purpose.

The elements of the answer obviously count for all types of personal data

Let us ask ourselves different questions:
What is the legal basis for the retention period? Is the retention period compatible with Article 5.e of the GDPR which states that personal data must be :

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

 

Is post-consent processing compatible with Article 5.b which requires that :

 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

 

And the answers to the questions we have asked ourselves will determine whether we can legally re-use the data collected.

 

  • If the retention period has been set to be compatible with Article 5.e of the GDPR, we have a first element that allows us to re-use this data. If the retention period is not compliant, we will not be able to re-use the data legally.
  • Then, if the retention period is compliant AND the purpose for re-using the personal data is respected and therefore remains the same as the initial consent, there is nothing to prevent the re-use.
  • On the other hand, if the retention period is compliant BUT the purpose for re-use of the data does not correspond to the purpose of the initial consent, then re-use is not allowed for this new purpose.

 

BUT it is a bit more complex than that, and the European Commission gives more guidance on the re-use of data for a new purpose.

 

If your company/organisation has collected data on the basis of a legitimate interest, contract or vital interests, it may be used for another purpose but only after checking that the new purpose is compatible with the original purpose.

Attention should be paid to the following points:
– the link between the original purpose and the new or future purpose
– the context in which the data were collected (What is the relationship between your company/organisation and the data subject?)
– the type and nature of the data (Are they sensitive?);
– the possible consequences of the envisaged further processing (What impact will it have on the data subject?);
– the existence of appropriate safeguards (such as encryption or pseudonymization).

If your company/organisation wishes to use the data for statistical or scientific research purposes, there is no need for a compatibility test.
If your company/organisation has collected data on the basis of consent or in compliance with a legal requirement, no further processing beyond the areas covered by the original consent or legal provision is possible. Further processing would require a new consent or legal basis.

Examples
Further processing is possible.
A bank has a contract with a customer to provide a bank account and a personal loan. At the end of the first year, the bank uses the customer’s personal data to check whether he or she is eligible for a better type of loan and a savings plan. It informs the customer of this. The bank may process the customer’s data again because the new purposes are compatible with the original purposes.

Further processing is not possible.
The same bank wants to share the customer’s data with insurance companies, based on the same contract for a bank account and a personal loan. This processing is not allowed without the explicit consent of the customer as the purpose is not compatible with the original purpose for which the data were processed.

References
– Articles 5(1)(b), 6(4), 89(1); Recitals 39, 50
– Article 29 Working Party. Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203)

 

The outcome of the questions of re-use of personal data are therefore not so simple, and you will have to ask yourself different questions before knowing whether it will be possible or not to re-use personal data for a new purpose.

That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.

 

 

Sources :
https://gdpr-text.com/ 
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/purpose-data-processing/can-we-use-data-another-purpose_en