What do we need to think about if we plan to share personal data with (or sell it to) other organisations?
If you set out to collect personal data with the intention of selling it to (or sharing it with) third parties, you must inform people as part of the privacy information you provide. You must tell them who you will give their information to and why, unless you are relying on an exception or an exemption. You can tell people the names of the organisations or the categories that they fall within in. You should choose the option that is most meaningful and useful for individuals, bearing in mind what you are doing with their personal data.
Example
An online retailer uses several different companies to handle financial transactions with its customers via a number of payment methods. The retailer decides that providing its customers with the specific names of all these companies is not meaningful for its customers as it is not clear who the companies are or what they do. As such, it tells its customers that their payment details are passed to payment processing companies when an order is placed.
The same retailer also sells the names, contact details and purchase histories of its customers to other retail companies for the purposes of postal marketing. The retailer provides its customers with the specific names of the organisations that it sells their information to, as opposed to the categories they are in. It does this so that its customers are informed about exactly who holds their personal data and can easily exercise their rights about its use.
If you determine that it is most meaningful to provide individuals with the names of the organisations that you pass their information to, this does not necessarily mean that you need to list every organisation up front. If there are a large number of organisations it is a good idea to take a layered approach to providing this information. For instance, in an online context, you can give individuals a link to the full list of the organisations.
It is also good practice to embed links to tools like dashboards in the places that you provide people with privacy information. This allows individuals to manage their preferences and to prevent their data being sold or shared where they have a choice. Selling or sharing personal data is one area in which using an icon alongside your privacy information may also be helpful.
In terms of timing, when you collect information from the individual it relates to, you must tell them who you will give their information to at the point you obtain it. If you obtain personal data from a source other than the individual it relates to, you need to tell the individuals who their information will be passed to no later than one month after obtaining the information. If, however, the personal data is given to another organisation within a month of obtaining it, you must tell the individuals about this, at the latest, when the information is passed on.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
What if we buy personal data from other organisations?
When buying personal data from another organisation, you must provide people with your own privacy information, unless you are relying on an exception or an exemption. If you rely on the exception that providing the privacy information would be impossible, or that it would involve a disproportionate effort, you must carry out a DPIA in order to identify and mitigate the risks associated with your use of the personal data.
It can be useful to check the information that the other organisation provided people with to see what they have, and haven’t, been informed about. If you are unsure as to whether people have been provided with the relevant privacy information, you should make sure to provide this to them yourself. Remember that, because you are not obtaining personal data from the individual it relates to, you need to tell them about the different types of information you collected about them, as well as the source of that information.
If what you plan to do with people’s personal data is different to what they were originally told you must make sure that the privacy information you provide them with reflects the new purpose for using the data. As well as doing this, you will also need to consider (and tell people) what your lawful basis is. You may need to assess whether the new use is compatible with the original purpose for which the personal data was obtained.
You need to provide people with your privacy information within a reasonable period of buying their personal data, and no later than a month. To ensure that what you are doing is fair, as well as transparent, you should do this sooner rather than later, especially if individuals would not reasonably expect what you plan to do with their personal data or if it would have a significant effect on them.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB:
What do we need to think about if we obtain personal data from publicly accessible sources?
The fact that personal data is publicly available does not mean that individuals no longer have the right to be informed about any further uses of their information. If you obtain personal data from publicly accessible sources (such as social media, the open electoral register and Companies House), you still need to provide individuals with privacy information, unless you are relying on an exception or an exemption. As above, if you rely on the exception that providing the privacy information would be impossible, or that it would involve a disproportionate effort, you must carry out a DPIA in order to identify and mitigate the risks associated with your further use of personal data.
Organisations sometimes obtain information from publicly accessible sources in order to combine, match or add to information that they already hold on an individual (or that they have bought in). This can be particularly intrusive, and unexpected, as it can create a very detailed picture of an individual’s affairs. If you intend to do this, you need to tell people about it. This is a clear example of where it is appropriate to highlight this information to people, for instance by including it in the first layer of a layered privacy notice. This type of processing also requires you to carry out a DPIA, due to the high risks involved.
Whatever you plan to do with personal data obtained from publicly accessible sources, you need to ensure that you have a valid lawful basis and you must tell people what this is in the privacy information that you provide to them. The lawful basis you rely on will affect the rights that individuals have in relation to your use of their personal data. Your privacy information must make clear what rights people have, and in particular, the right to object must explicitly brought to people’s attention.
You need to provide people with your privacy information within a reasonable period of obtaining it. The latest point at which you can do this is one month after the personal data is obtained, but depending on the circumstances, it will not always be fair to wait this long. People’s reasonable expectations about how their personal data may be further used will differ depending on the nature of the personal data and the type of publicly accessible source from which you obtained it. Where further uses of publicly available personal data are less likely to be expected, or could significantly affect individuals, you should provide them with your privacy information as soon as possible after it is obtained.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB:
What do we need to think about if we use Artificial Intelligence (AI)?
The use of AI raises particular issues about data protection and transparency, where personal data is used. AI can typically involve processing large volumes of information and using algorithms to detect trends and correlations, often for the purposes of automated decision making and profiling. In some cases this type of processing can have a relatively limited impact on individuals but in others it can be extremely intrusive and have significant effects.
People often have limited awareness that information about them is being gathered and processed in this way. Although it can be more difficult to foresee at the outset how you will use personal data in this context, you still need to give people an indication of what you are doing with their data. If necessary, you should add additional detail to your privacy information as you go on, making sure to bring this to people’s attention. It can be useful to use just-in-time notices to deliver this type of information to people.
If you use AI to make decisions about people or to profile them, you need to be upfront about it and explain your purposes for doing so. If the decisions are solely automated and have legal or similarly significant effects, you must provide people with extra detail on the logic involved, the significance of the processing and the envisaged consequences of it. In practice, this means telling people what information you use, why it is relevant and what the likely impact is going to be. The way you provide this information to people must be clear and meaningful, you should not confuse people with overly complex explanations of the analytics.
Applying AI to personal data can often find new uses for it. If you obtained information for one purpose but you now intend to use it for another you must tell people about this before you start any new processing. This means updating your privacy information and proactively bringing the changes to people’s attention. You can use a dashboard to alert people to changes in the use of their data and to allow them to exercise their rights in relation to the new processing.
As well as new purposes, AI can also create new data about people. For instance, you might use a machine learning algorithm to profile people so that you can infer or predict their interests. If you know what type of new personal data you plan to create you should tell people this in advance as part of your explanation of the purposes for processing. However, AI can also reveal unexpected patterns in data. If you create new information about people that they would not reasonably expect you to have, and you plan to keep and use this data, you need to tell them about this within a reasonable period of its creation, and within a month at the latest.
Using AI can deliver a wide range of benefits, but it is often opaque to the individuals whose data is being processed, and may produce unexpected consequences for them. If you are using data in this way it is important to build a relationship of trust with people. Being open about what you do, and finding effective ways to deliver privacy information are both key to that relationship.
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
WP29 published the following guidelines which have been endorsed by the EDPB: