Data collection within GDPR

Welcome Reader,
Today we will handle data collection within the GDPR.

The General Data Protection Rules are not only concerning EU citizens that are protected with the rules, but also organisations that need data to improve, develop, and grow – it will affect digital marketing and web analytics. So how to practice data collection and analyze data and at the same time respect user rights within the GDPR?

Before, we were talking about data collection and data management. With the GDPR it is a little bit harder to collect relevant data, but in fact it is not that hard.

Let’s dive deeper into it! 

Table of Contents

Personal Data

To start with, we need to clarify first what is considered as personal data to enrich the data collection process.

Basically, everything about the user is personal data. This includes:

• Name
• Email address
• Location
• IP address
• Browser history

• Access logs
• Error logs
• Security audit logs

Personal Data to Process

But which data can we process under which conditions?

The European Commission answers this question. Depending on the reason for processing the data and the intended use, different data collection is allowed. There exist several key rules that need to be followed and respected:

• Lawfulness, fairness and transparency – The personal data collection needs to be processed in a lawful and transparent manner which should ensure fairness to the user whose personal data was collected 
• Purpose limitation – When collecting data the purpose needs to be defined, specific, and communicated to the users whose data is being collected 
• Data minimisation – It is only allowed to collect necessary data to fulfil the purpose
• Accuracy – It needs to make sure that the collected data is always accurate and up-to-date
• Compatibility – It is only allowed to use the data for the set purpose and not for other purposes that are not compatible with the original one 
• Storage limitation – Storage limitation indicates that the data can be stored only until the purpose for which it was collected was fulfilled 
• Integrity and confidentiality – Security of the personal data must be ensured at all costs with technical and organisational safeguards

Additionally, the GDPR includes that it is allowed to collect and store personal information as long as the user remains absolutely anonymous, so that there is no possibility to trace the user from the data stored.

But attention! According to the GDPR it is almost never allowed to collect data such:

• Race, ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union memberships
• Genetic or biometric data
• Health or mortality
• Sex life or sexual orientation 

It is allowed to collect certain data if it is required by law. If so and you have permission to collect this type of data, pay attention to state it in the privacy policy and mention why you need it.

General Information

To understand the GDPR a little bit more, it is crucial to understand an important differentiation made: Controllers, processors, and subjects. The GDPR differs slightly for each party just mentioned. 

Controllers – That is your company that collects data, needs, and uses it for specific purposes. 

Processors – Processors are the companies that deliver the tool to collect the data. They are the middle men analyzing the data and making suggestions on how to use it.

Subjects – Subjects are the users and every person is considered as one.

Legal Bases

Again, when practicing data collection, the purpose needs to be mentioned in the privacy policy. But what is considered as a valid purpose? 

In general, 5 legal bases exist for data collection, data storing, and processing: 

The Vital Interest Of The Individual

Vital interest as legal basis is when the data collection is crucial for protecting their life if the individual cannot give or deny consent. This situation is typical in medical emergencies where individuals can’t consent or deny it. If the medical care was already arranged the public interest would be more suitable.

The Public Interest

Public interest as legal basis is reliable when the data collection is used to inform and protect the public. This legal basis is normally used to process the data of public authorities, suspects in criminal cases, either local or national, and employees and bosses in social security and when it comes to social protection cases. But as well people who deal with public and state finances, and subjects of scientific and historical studies if the data collection process is crucial for the research.

Contractual Necessity

When entering or fulfilling a contract, contractual necessity is the legal basis for the data collection.

Unambiguous Consent of the Individual

This is applicable as legal basis when the individual gave the consent for the data collection and processing giving him the choice and control of being in charge of their privacy. Making options clear and specific makes it easy for the individual to give consent.

Legitimate Interest of the Data Controller

This legal basis works when the subject expects their data to be collected and processed. To rely on this basis it is crucial to identify the legitimate interest, to prove that the data collection and processing is necessary for the service which should be implemented, and to weigh the basis against the subject’s rights, freedoms and interests.

Privacy Policy

In order to always comply with the GDPR it is important to always update your privacy policies to fit the GDPR requirements. Be as clear and transparent and mention which data you are collecting, with which purpose, how you store it and for how long.

The GDPR requires you as well to make the privacy policy easy to read and understand. Reduce over-professional language because the privacy policy is made for an average user. Don’t forget to mention how you and any third parties will use the data without forgetting to state the exact name of the third parties.

Steps To Take

Protect your website visitors – Know who is visiting your website and what data collection you can get out of them. If there is any data categorized as personal data, make sure to protect it. 

Consent and transparency – Make sure that your visitors have the option to give consent and that they are aware of when, how, and why their personal data is collected and used. 

Update your privacy policy – Make it easy for your users that they understand the privacy policy. To make it transparent, always update it to communicate transparency. 

It is crucial and important to comply with the GDPR to protect your users and build a trustful relationship.

References

• European Commission, n.d. via https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/what-data-can-we-process-and-under-which-conditions_en
• Julian Jeliński, 2017 via https://piwik.pro/blog/infographic-process-data-under-gdpr/
• PrivacyPolicies.com, 2021 via https://www.privacypolicies.com/blog/gdpr-collecting-personal-data-updating-privacy-policy/