Personal data

Spe­cific lim­its

One of these prin­ci­ples is pur­pose lim­i­ta­tion. This is a sit­u­a­tion that when per­sonal in­for­ma­tion is col­lected and processed, it must be for a spe­cific and lim­ited rea­son. “No data can be col­lected just for the pur­pose of ad­ver­tis­ing in gen­eral, what type of ad­ver­tis­ing will be car­ried out must be spec­i­fied. The data must also be treated in a law­ful, trans­par­ent, fair and ap­pro­pri­ate man­ner,” says Vi­lasau, who also stresses that only the data that are strictly nec­es­sary for the spe­cific stated pur­pose can be col­lected.

In ad­di­tion, the reg­u­la­tion states that the col­lec­tion and treat­ment of the per­sonal data must be ac­cu­rate and must have a spe­cific du­ra­tion, for ex­am­ple, just for the length of a school year or dur­ing a spe­cific ad­ver­tis­ing cam­paign. An­other basic prin­ci­ple is in­tegrity and con­fi­den­tial­ity, in other words en­sur­ing that per­sonal data is se­cure, prop­erly stored, and never leaked. And this not only ap­plies to dig­i­tal se­cu­rity. Just last year, the Span­ish Data Pro­tec­tion Agency sanc­tioned – with a se­ri­ous warn­ing but not with a fine – a law firm in the Ca­nary Is­lands that had thrown away two rub­bish bags that were full of per­sonal doc­u­ments such as wills and deeds. An­other case was a breach in the se­cu­rity sys­tem of the health min­istry in Madrid last sum­mer that ex­posed the health data of more than 100,000 peo­ple.

An­other basic prin­ci­ple of the reg­u­la­tion is what is known as proac­tive re­spon­si­bil­ity. “The per­son re­spon­si­ble for pro­cess­ing the data must an­tic­i­pate any prob­lems that may well arise. For ex­am­ple, when de­sign­ing an ap­pli­ca­tion or a web­site, they must en­sure that the user will have to pro­vide as lit­tle per­sonal data as pos­si­ble,” says Vi­lasau.

This ex­pert on data pri­vacy also points out that tech­nol­ogy is far from neu­tral and that when the ar­chi­tec­ture of a sys­tem is de­signed, then de­ci­sions that can af­fect pri­vacy have to be made. She gives an ex­am­ple from the point of view of the pub­lic au­thor­i­ties, which have a duty to be trans­par­ent but de­pend­ing on how they build their data­bases aimed at shar­ing pub­lic in­for­ma­tion they could end up un­wit­tingly pro­vid­ing ac­cess to other sen­si­tive data that should re­main pri­vate. “When de­sign­ing these types of data­bases, it’s ex­tremely im­por­tant that the in­for­ma­tion can be par­tially ex­tracted from them,” she adds.

The thirst for data

“Many peo­ple want our data. Es­pe­cially the big tech and e-com­merce com­pa­nies, in order to pro­file us and sell us prod­ucts. But there are also other ac­tors who are in­ter­ested in our per­sonal data, such as se­cu­rity agen­cies and gov­ern­ments,” says Jordi Soria, the head of tech­nol­ogy and in­for­ma­tion se­cu­rity at the Cata­lan Data Pro­tec­tion Au­thor­ity.

In Eu­rope, the GDPR states that per­sonal data can only be processed in six cases. The first and most im­por­tant is only when the per­son in ques­tion has given his or her ex­plicit con­sent. “We’re be­com­ing more aware that our con­sent is re­quired but in this so­ci­ety we’re bom­barded with con­stant in­for­ma­tion, and so we’re sat­u­rated and we tend to click on “ac­cept” too quickly with­out stop­ping to con­sider the im­pli­ca­tions of the re­quest,” Vi­lasau points out.

There are some sit­u­a­tions in which per­sonal data can be processed with­out the ex­plicit con­sent of the in­di­vid­ual in­volved. In these cases, at least one of the fol­low­ing con­di­tions must be met: if it is to pro­tect the vital in­ter­ests of the in­di­vid­ual (such as in the event of dis­as­ters, hu­man­i­tar­ian crises or even pan­demics); if it is in the pub­lic in­ter­est (such as when re­quest­ing data from sex of­fender reg­istries when hir­ing some­one to work with chil­dren); when there is a con­trac­tual need in busi­ness, labour or ad­min­is­tra­tive re­la­tions (such as ac­cess­ing the data of an iden­tity card of a com­pany em­ployee); if it is to com­ply with legal oblig­a­tions (such as with billing data), and if it can be shown that it is in the le­git­i­mate in­ter­est of the data con­troller, or the party want­ing to process the data. This lat­ter con­di­tion is the least well de­fined and all the ex­perts in­sist that it should be stud­ied on a case-by-case basis. “It’s about find­ing the right bal­ance be­tween the in­ter­ests of the per­son af­fected and the gen­eral in­ter­est of the com­pany, the school, the foun­da­tion, or who­ever it is re­quest­ing to process the in­for­ma­tion. For ex­am­ple, in cer­tain mar­ket­ing sit­u­a­tions, if I want to process per­sonal data in order to send you ad­ver­tis­ing, the first thing to con­sider is whether the use of the data is le­git­i­mate. An­other ex­am­ple would be whether ap­pro­pri­ate mea­sures will be taken to pro­tect pri­vacy if mi­nors are in­volved. In short, the con­text of the pro­cess­ing of the per­sonal data needs to be stud­ied in order to de­ter­mine if the in­ter­est under con­sid­er­a­tion is truly le­git­i­mate,” says Vi­lasau.

All of these as­pects must be taken into ac­count by com­pa­nies, in­sti­tu­tions, ad­min­is­tra­tions and even self-em­ployed work­ers who have to process this type of data. Of course, at the same time, Eu­ro­pean law also pro­tects the rights of in­di­vid­u­als with re­gard to the use that may be made of their per­sonal in­for­ma­tion. “Data pro­tec­tion au­thor­i­ties en­sure that these rights are re­spected. Those af­fected may re­quest in­ter­ven­tion or ju­di­cial pro­tec­tion if they con­sider that their rights have not been re­spected,” adds the ex­pert.

Trans­parency key

One of the main rights is trans­parency of in­for­ma­tion: at all times the or­gan­i­sa­tions or com­pa­nies that process per­sonal data must ex­plain to those af­fected why they have it and under what con­di­tions. An­other right is to have er­ro­neous data cor­rected. For ex­am­ple, in the case of an in­surer who iden­ti­fies a cer­tain cus­tomer as a smoker when in fact they are not. Fail­ing to cor­rect in­for­ma­tion like this could be prej­u­di­cial if that per­son takes out med­ical in­sur­ance.

This ac­cess to your own per­sonal data must also be made sim­ple and must be free. “We re­ceive many in­quiries from peo­ple who want to know what per­sonal in­for­ma­tion of theirs may be cir­cu­lat­ing on the In­ter­net. But it is not us they should ask but rather the com­pa­nies to whom they have given con­sent to ac­cess and process their data,” says Soria.

In gen­eral, says the head of the Cata­lan Data Pro­tec­tion Au­thor­ity, we’re largely un­aware of the value of our per­sonal data, and also of who has it. “We click “ac­cept” with­out re­ally know­ing what we’re doing, and with­out read­ing any­thing. It’s very dif­fi­cult not to do this as it takes a lot of ef­fort to stop and re­ally con­sider what we’re con­sent­ing to with this sim­ple ges­ture,” he in­sists.

And the data pro­tec­tion head adds that it is also ex­tremely im­por­tant for us to be aware of the per­sonal ma­te­r­ial that we our­selves may make pub­lic on­line. “When­ever you post some per­sonal data on the In­ter­net, this in­for­ma­tion is very often not lim­ited just to the place where you posted it. This means that we have to be aware not only of the au­tho­ri­sa­tions con­cern­ing data that we give oth­ers, but we also have to think twice be­fore post­ing any­thing our­selves on so­cial media. Once it’s on the in­ter­net, you no longer con­trol where it might end up,” con­cludes Vi­lasau.