6 out of 10 Americans believe that it is impossible to avoid the collection of personal data in everyday life. They are right. A study by WhoTracks.Me found that 82% of web traffic contains third-party Google scripts and confirmed that half of them collect personal user data. Google tracks 40% of web traffic, Facebook 15%, Twitter and Microsoft 4%.
More and more users are worried about how companies use their data. For example, the latest version of Apple iOS includes a new privacy feature, which requires mobile apps to ask users for permission to collect data. As of April 2022, among those who have already installed the iOS 14.5 updates, only 25% have allowed tracking.
Under the GDPR, a business must be transparent and open about what personal information it collects from customers to have an opportunity to use internet marketing tools and monetize IT products. Let's find out what is considered personal data and how companies can increase customer confidence and ensure their data security.
What data is considered personal?
Personal data is any information that can be used to identify a person. The GDPR rules do not apply to the personal data of a legal entity.
The more that personal data is combined, the more difficult it is to keep that data depersonalized. This creates higher risks and responsibility under the GDPR. While the GDPR has guidelines to determine what constitutes personal data, there is no explicit definition. The regulation includes only the concept and general principles for classification. So let's look at examples.
When a user places an order for a laptop in an online store, they fill out a form with personal data which includes their name, surname, phone number, and e-mail. In addition to the personal data, the online store receives order data, which includes the model and color of the laptop. In this case, first name, last name, telephone number, and an e-mail would be considered personal data. But the model and color of the device are not considered personal data because it is impossible to identify a specific person using this information.
- Identification data: name, date of birth, age.
- Biographical information: marital status, gender and employment status.
- Contact details: home or other physical address, email address and phone number.
- Driver Details: insurance policy information, car accident details, and car information.
- Financial data: credit information and annual income.
- Health data: biometric parameters (height, weight) and health information.
In addition to the personal data gathered through the questionnaire, the Insurance Hunter’s platform receives technical data automatically when the user visits the website:
- IP address, other device address or ID.
- Web browser and device type.
- Geolocation data.
- Hardware and software settings and configurations.
- The pages the user is viewing.
- Site actions.
What is sensitive data under GDPR?
All of the information collected by Insurance Hunter is personal data, however, not all is “personal sensitive data”. Among the personal information collected, processed and stored by Insurance Hunter some is considered “personal sensitive data”, for which the GDPR requires a legal, purposeful goal. Without a legal, purposeful goal the collection of the following data is prohibited by the GDPR.
- Racial or ethnic origin.
- Political views.
- Religious or philosophical beliefs.
- Membership in a trade union.
- Genetic and biometric data.
- Data about health, sex life or sexual orientation.
The processing of such data is only permitted with the express data subject consent for specific purposes.
Is an IP address considered personal data?
Individuals may be assigned internet identifiers, such as IP addresses or cookie identifiers. Together with other personal data, they can be used to create profiles or identify a person. So, following Preamble 30 of the GDPR, the IP address is considered to be personal data, when in conjunction with other additional information a person can be identified.
What individual personal data rights should a company guarantee?
The GDPR has established eight rights of data subjects, the violation of which leads to fines.
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to object to automated decision making and profiling
The Stalirov&Co IT lawyers have detailed the most important of them and what fines a company faces if they do not ensure the proper implementation of these rights.
Right to be informed
Failing to provide publicly accessible information regarding the collection, processing, and storage of personal data will lead to financial penalties.
In order to limit your liability, it is essential to present information concisely, clearly and in simple language. Place Privacy Policies in intuitive places, so the user is always one or two clicks away from accessing the document.
Right of access
The right of access allows a user to view the information a company stores about them. In order to access this data, the data subject must submit a request to exercise this right. The information must be provided without delay and free of charge.
The steps for gaining access to user data should be as simplified as possible. Technical difficulties experienced by a company cannot be an argument for reducing the fine.
Right to rectification
The GDPR requires that each customer is able to correct their inaccurate or incomplete personal data without delay.
Right to erasure and right to be forgotten
The GDPR has established six conditions when a user can request the deletion of data:
- Personal data is no longer needed for the purposes it was initially collected.
- A natural person withdraws consent to the processing of his data.
- A person objects to data processing for specific purposes, such as marketing.
- Personal data was processed unlawfully.
- Personal data must be deleted under local laws.
- Personal data is processed in connection with providing online services to a child.
In addition to deletion, data subjects may request the de-indexing of Google pages that link to information about them. The data will still be on the original sites but won't appear in Google's search results, so it's less likely to be seen.
Since the introduction of the de-indexing procedure, Google has received 1,347,534 requests. But not all of them were successfully processed. Because of this, in 2020, Google received a 7 million EUR fine from the Swedish Data Protection Authority for deleting not all requested pages. In addition, the Data Protection Authority demanded that Google stop informing the website owners about which web page link was removed and who made the request. Such a rule allows the site owner to republish information on a different web address, which Google again indexes. It makes the right to be forgotten impracticable.
Right to object
Under article 21 of the GDPR, at any time, a user may object to processing their data for specific purposes. For example, they can apply with a request to stop direct marketing. This right is absolute. The company cannot override the customer's objection and must immediately stop using the data for direct marketing purposes.
Right to object to automated data processing
Under article 22 of the GDPR, users have the right to contest any automated decision made based on the processing of their data.
The company's task is to describe to customers how they can exercise their rights and how to contact the company. To do this, public documents on websites and applications must include support service contacts. It is crucial to consider requests promptly and give detailed answers in case of refusal. The Data protection officer handles communication with clients. In the following article, Stalirov&Co IT lawyers explain who needs a DPO and what functions this specialist performs.