It’s important to remember that the definition of personal data is very broad, and includes things like users’ names and contact details, but also their IP addresses and account handles. Your website will be processing personal data if you’re doing something with that information, such as collecting it, recording it, storing it, using it, sharing it etc.
- you ask users to provide their contact information if they want to subscribe to your newsletter; and/or
- you track how people are using your site.
Where you got the personal data directly from the individual
Where you got the information from a third party
- a month after you obtained their personal data;
- if you are using the personal data to communicate with them, the point at which you send your first communication; or
- if you’re planning to disclose the personal data to someone else, the point at which you actually disclose it.
To rely on this exception, you must be able to demonstrate that the individual in question already has your privacy information (eg because the organisation you received the personal data from has already provided it to them). If you’re unsure whether it has actually been passed on, you should make sure you provide it yourself.
2. Providing the information to the individual would be impossible
In some circumstances, it may be impossible for you to provide your privacy information to the individual in question. For example, you might not have their contact details or any reasonable way to get hold of them. If you’re going to rely on this exception, you must carry out a data protection impact assessment (DPIA) before doing so and publish your privacy information (eg by linking to it on your website).
3. Providing the information to the individual would involve a disproportionate effort
If the effort it will take you to provide the individual in question with your privacy information would be disproportionate against the effect that your use of the data will have on them, you may be able to rely on this exception. To do so, you should make a written record of your assessment of the proportionality, and conduct a DPIA before processing the personal data.
Considerations you can bear in mind when making your assessment of proportionality include:
- the number of individuals involved;
- how old the personal data is; and
- what safeguards you have put in place.
In any event, if you’re relying on this exception, you must still publish your privacy information (eg by linking to it on your website).
4. You’re required by law to obtain and disclose the data
In some instances, you will be required by law to obtain or disclose personal data which you have obtained from a third party source.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.