• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

Can handling the proposed content of a website fall foul of GDPR regulation?

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can handling the proposed content of a website fall foul of GDPR regulation?

    I am a web-developer. I have a friend who insists that material sent to me by a client as part of the proposed content of a website they are contracting me to build can qualify as sensitive data and as such can fall foul of the EU's new GDPR regulation.

    So taking the following example: I have a customer who contracts me to build them a website. They provide me with the content that they want on the pages (a publicly-accessible website that anyone with an internet connection can see). If that content contains personal info (e.g. names, photos, employment history) then I, as the web-developer, am now in possession of "sensitive information" and need to abide by all the relevant legislation for handling this information; despite the fact that they have given me this of their own volition with the express purpose of displaying it publicly on their website.

    To be clear, according to what I am being told, if I was being tasked with building a web page with staff info like this one for example, then having the client send me the staff names and photos means that I am now "processing personal data".

    This seems ridiculous to me, and not what the regulation was intended for; namely the soliciting and harvesting of personal information for targeted-marketing purposes, which is obviously not at all what is happening here. Surely if I am simply sent a mass of material and asked to put it on a website then by doing so I am merely fulfilling a contract?

    What are your thoughts on this? Thank you.
    LegalBeagles is a free forum offering support, discussion & help for consumers from their peers and covers mainly legal and financial issues.
    Tags: None

  • #2


    https://ico.org.uk/global/contact-us...organisations/
    Peridot
    #staysafestayhome

    Any support I provide is offered without liability, if you are unsure please seek professional legal guidance.

    Received a Court Claim? Read >>>>> First Steps

    Comment


    • #3
      Hello

      This seems ridiculous to me, and not what the regulation was intended for; namely the soliciting and harvesting of personal information for targeted-marketing purposes, which is obviously not at all what is happening here.
      This is exactly what the Regulation was intended to cover (as was the previous 1998 Act), using personal data for marketing purposes is just one aspect of it. The definition of 'personal data' and 'processing' under the GDPR is very wide in scope which I have set out in full below:

      "personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

      "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      Based on what you've said, if you are simply being given the data and inserting it into the website, I would probably say you are just a data processor since you are merely taking instructions from your client. When you start to determine the purpose and means of that data, then you become a controller (or in some circumstances a data controller and a processor).

      Some of the data supplied to you might not be categorised as 'sensitive' (which is now known as 'special categories of data' under the GDPR). Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, biometric or genetic data or data about someone's health are all special categories of data under the GDPR. There are more stricter requirements to use this data and unless the data controller i.e. your client can fall into one of the exemptions (I suspect they might rely on the exemption for using it as part of data subject's employment) they would otherwise need explicit consent.

      In terms of your obligations as a data processor, I wold suggest you read the following link, particularly the paragraph at the end on liabilities and responsibilities (Article 28-36 of the GDPR governs generally data processors/controllers obligations).

      https://ico.org.uk/for-organisations...nce/contracts/
      If you have a question about the voluntary termination process, please read this guide first, as it should have all the answers you need. Please do not hijack another person's thread as I will not respond to you
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      LEGAL DISCLAIMER
      Please be aware that this is a public forum and is therefore accessible to anyone. The content I post on this forum is not intended to be legal advice nor does it establish any client-lawyer type relationship between you and me. Therefore any use of my content is at your own risk and I cannot be held responsible in any way. It is always recommended that you seek independent legal advice.

      Comment


      • #4
        To add to Rob's comprehensive response above, the way to cover yourself in this instance is to include in your terms of business ther realtionship of you and your client in terms of the GDPR legislation. Define that you are the Data Processor and at all times they will remain the Data Controller, then go on to define what you will do as a Data Processor.

        If you get stuck for wording I can probably post the beginnings of what you could include on Monday.
        COMPLETING AN N180 DIRECTIONS QUESTIONNAIRE (SMALL CLAIMS TRACK) GUIDE

        My posts here are based on my experience of a variety of life events. I have no formal legal training & if in doubt take professional legal advice or contact CAB. If you follow anything I write here you do so at your own risk & I accept no liability for any loss, costs or other outcomes.

        Private messages are disabled as help is only offered publicly. I do not come on here in the evening, at weekends or on public holidays.

        Comment

        View our Terms and Conditions

        LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

        If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


        If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
        Working...
        X