• Welcome to the LegalBeagles Consumer and Legal Forum. Please register to get the most out of the forum. Registration is free and only needs a username and email address.
  • Please note that LegalBeagles is a public forum and the main areas are accessible to all, and as such, please take care your username or posts do not identify you. There is no need to post claim numbers, names or precise amounts to get support with your case. When uploading documents please ensure that you have properly redacted your personal details. Thank you.

Can handling the proposed content of a website fall foul of GDPR regulation?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can handling the proposed content of a website fall foul of GDPR regulation?

    I am a web-developer. I have a friend who insists that material sent to me by a client as part of the proposed content of a website they are contracting me to build can qualify as sensitive data and as such can fall foul of the EU's new GDPR regulation.

    So taking the following example: I have a customer who contracts me to build them a website. They provide me with the content that they want on the pages (a publicly-accessible website that anyone with an internet connection can see). If that content contains personal info (e.g. names, photos, employment history) then I, as the web-developer, am now in possession of "sensitive information" and need to abide by all the relevant legislation for handling this information; despite the fact that they have given me this of their own volition with the express purpose of displaying it publicly on their website.

    To be clear, according to what I am being told, if I was being tasked with building a web page with staff info like this one for example, then having the client send me the staff names and photos means that I am now "processing personal data".

    This seems ridiculous to me, and not what the regulation was intended for; namely the soliciting and harvesting of personal information for targeted-marketing purposes, which is obviously not at all what is happening here. Surely if I am simply sent a mass of material and asked to put it on a website then by doing so I am merely fulfilling a contract?

    What are your thoughts on this? Thank you.
    LegalBeagles is a free forum offering support, discussion & help for consumers from their peers and covers mainly legal and financial issues.
    Tags: None

  • #2


    https://ico.org.uk/global/contact-us...organisations/
    Peridot
    “We may not win by protesting, but if we don’t protest we will lose. If we stand up to them, there is always a chance we will win.” Hetty Bower

    Any support I provide is offered without liability, if you are unsure please seek professional legal guidance.

    If we have helped you we'd appreciate it if you can leave a review on our Trust Pilot page

    Find Solicitors offering fixed fees on our sister site - JustBeagle.com

    Comment


    • #3
      Hello

      This seems ridiculous to me, and not what the regulation was intended for; namely the soliciting and harvesting of personal information for targeted-marketing purposes, which is obviously not at all what is happening here.
      This is exactly what the Regulation was intended to cover (as was the previous 1998 Act), using personal data for marketing purposes is just one aspect of it. The definition of 'personal data' and 'processing' under the GDPR is very wide in scope which I have set out in full below:

      "personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

      "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      Based on what you've said, if you are simply being given the data and inserting it into the website, I would probably say you are just a data processor since you are merely taking instructions from your client. When you start to determine the purpose and means of that data, then you become a controller (or in some circumstances a data controller and a processor).

      Some of the data supplied to you might not be categorised as 'sensitive' (which is now known as 'special categories of data' under the GDPR). Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, biometric or genetic data or data about someone's health are all special categories of data under the GDPR. There are more stricter requirements to use this data and unless the data controller i.e. your client can fall into one of the exemptions (I suspect they might rely on the exemption for using it as part of data subject's employment) they would otherwise need explicit consent.

      In terms of your obligations as a data processor, I wold suggest you read the following link, particularly the paragraph at the end on liabilities and responsibilities (Article 28-36 of the GDPR governs generally data processors/controllers obligations).

      https://ico.org.uk/for-organisations...nce/contracts/
      Click here to check out my list of templates

      DISCLAIMER: ANYTHING I POST ON THIS FORUM SHOULD NOT BE CONSTRUED AS GIVING LEGAL ADVICE. I DO NOT ASSUME RESPONSIBILITY NOR DO I ACCEPT ANY LIABILITY AND THE USE OF MY CONTENT FOR YOUR OWN PURPOSE IS SOLELY AT YOUR OWN RISK. YOU SHOULD ALWAYS SEEK INDEPENDENT LEGAL ADVICE BY GOING TO THE LAW SOCIETY'S FIND A SOLICITOR OR CONTACT YOUR LOCAL CITIZEN'S ADVICE BUREAU.

      Comment


      • #4
        To add to Rob's comprehensive response above, the way to cover yourself in this instance is to include in your terms of business ther realtionship of you and your client in terms of the GDPR legislation. Define that you are the Data Processor and at all times they will remain the Data Controller, then go on to define what you will do as a Data Processor.

        If you get stuck for wording I can probably post the beginnings of what you could include on Monday.
        HOW TO COMPLETE AN N180 DIRECTIONS QUESTIONNAIRE (SMALL CLAIMS TRACK) FORM?

        My posts on this forum are offered based on my experience dealing with a variety of life events. I have no formal legal training and if in doubt take professional legal advice or contact the CAB. If you follow anything I write on this forum you do so at your own risk and I accept no liability for any loss, costs or other outcomes.

        I do not come on here in the evening, at weekends or on public holidays.

        Comment


        • #5
          I had somewhat similar problem back in the days when I worked for one company. Though it was mentioned both in our terms and even in our animated explainer video https://topexplainers.com/explainer-animation/ on the website people still tried to abuse the process the way they wanted to. As mentioned above, make your customers read your agreements in advance.

          Comment

          View our Terms and Conditions

          LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

          If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


          If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.

          Announcement

          Collapse
          No announcement yet.
          Loading...

          upgrade to vip

          Want exclusive access to forums, more privacy and a live chat box? Upgrade to become a bigger part of our community.

          only £15/yr

          Offers available. No subscription traps.

          sign up now



          Search and Compare fixed fee legal services and find a solicitor near you.

          Find a Law Firm


          Working...
          X