I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?
So first of all, what is personal data in the sense of the GDPR? Because many people don’t really know what personal data is and think that it is limited to names, surnames and addresses. But don’t worry, Article 4 gives the official definition of personal data.
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
The European Commission website provides a non-exhaustive list with examples of personal data.
|
This same site also gives a small list, also not exhaustive, of what is not personal data.
|
Having settled this, let‘s get back to the problem at hand: « I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?
So what elements do we have to answer:
|
Whereas the GDPR requires a legal basis for the processing of personal data.
Whereas the GDPR requires a time limit for the retention period.
Whereas the processing has received consent for a specific purpose.
The elements of the answer obviously count for all types of personal data
Let us ask ourselves different questions:
What is the legal basis for the retention period? Is the retention period compatible with Article 5.e of the GDPR which states that personal data must be :
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); |
Is post-consent processing compatible with Article 5.b which requires that :
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); |
And the answers to the questions we have asked ourselves will determine whether we can legally re-use the data collected.
|
BUT it is a bit more complex than that, and the European Commission gives more guidance on the re-use of data for a new purpose.
If your company/organisation has collected data on the basis of a legitimate interest, contract or vital interests, it may be used for another purpose but only after checking that the new purpose is compatible with the original purpose. Attention should be paid to the following points: If your company/organisation wishes to use the data for statistical or scientific research purposes, there is no need for a compatibility test. Examples Further processing is not possible. References |
The outcome of the questions of re-use of personal data are therefore not so simple, and you will have to ask yourself different questions before knowing whether it will be possible or not to re-use personal data for a new purpose.
That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.
Sources : https://gdpr-text.com/ https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/purpose-data-processing/can-we-use-data-another-purpose_en