Table of Contents
The UK General Data Protection Regulation (UK GDPR) regime regulates the collection and use of personal data in the UK. Busy businesses increasingly rely on collecting certain personal information from third parties rather than directly from individuals. However, collecting personal data from third parties involves various legal rules under data protection law, which you should be aware of and comply with. This article explores some critical issues a data controller business should consider when collecting personal data from third parties.
What are Common Examples of Collecting Data from Third Parties?
As a data controller, you may collect information directly from individuals. For example, asking your customers to sign up for your services online, and gathering their contact details and payment information via your e-commerce shop.
Some businesses do not just collect all personal data directly from individuals. Instead, they may use third-party sources such as data brokers or credit agencies to gather personal data on their behalf. While this approach can be helpful, it also introduces complex legal considerations.
What Key Issues Should You Consider When Collecting Data from Third Parties?
The UK GDPR sets out a comprehensive data protection framework that regulates the processing of personal data to ensure transparency, fairness, and lawfulness when using personal information. When you collect personal data from third parties, compliance with the UK GDPR is crucial to protecting individuals’ rights and maintaining trust in your business.
This factsheet sets out how your business can become GDPR compliant.
This is particularly important when your company has yet to collect an individual’s details directly from them.
Here are some key issues your business needs to consider when collecting personal data from third-party sources:
The Right to Be Informed
The UK GDPR gives individuals the right to be informed. Data controllers must notify individuals about collecting their data from third-party sources. You need to provide essential information, such as details about the data’s source, the categories of personal data collected, and the purposes of processing.
It is essential to inform individuals about your data collection process and the source of their personal data within a reasonable timeframe, typically by one month after obtaining the data.
For example, if you purchase a marketing list from a third party, you must inform the individuals on that list about where their data came from, what types of data you hold (such as names and email addresses), and why you are using it.
There are exceptions to this requirement, including situations where the individual already has the necessary information or where providing such information would involve a disproportionate effort. However, these exceptions require careful documentation and justification. You must also verify and demonstrate what information the individual has received, and relying solely on third-party assurances is insufficient.
Due Diligence
Due diligence is vital for verifying that the fair and lawful collection of data you obtain via third parties. This means ensuring third-party providers collect data according to data protection law rules.
When collecting data from third-party providers or partners, you should request documentation and thorough information from them, such as details about who compiled the data, how it was collected, and whether a copy of the privacy notice was issued to individuals. Additionally, you should confirm the data’s accuracy and whether it is up to date.
A written contract with the relevant third party can help you confirm the reliability of the data they have collected and set out your rights to audit compliance with data protection laws. However, you remain responsible for ensuring compliance with the rules around gathering personal data through third parties.
Determining the Lawful Basis for Processing Personal Data
When collecting personal data from third parties, determining the correct legal basis for processing is essential under the UK GDPR.
You should consider how the data was initially collected, for what purpose, and under which lawful basis. For example, suppose you seek to rely on legitimate interests to process personal data. In that case, you will need to perform a balancing test to ensure that your business needs do not override the rights and freedoms of individuals. This involves assessing the purpose of processing, its necessity, and any potential impact on individuals.
Under the UK GDPR accountability principle, you must maintain records of consent and any assessments conducted using legitimate interests.
If you buy or rent data lists, your business should ensure you obtain assurances that the data you have received has been collected in compliance with UK GDPR and any other relevant legal rules.
Regardless of the legal basis—whether consent, legitimate interests, or another—you must verify that the data has been legally obtained and processed per data protection law rules.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
How a Data Protection Solicitor Can Help Your Business?
These are vital areas to consider when collecting personal data from third parties. However, this activity may raise a host of other issues and considerations. If you need clarification about your obligations when collecting data from third parties, seek legal advice from a data protection solicitor.
Navigating the complexities of UK GDPR compliance, especially when collecting data from third parties, can be difficult. A data protection solicitor can help your business with tailored advice on ensuring compliance with the UK GDPR.
They can help you understand your legal obligations when collecting personal data from third parties, helping you avoid risks such as enforcement action and reputational damage from breaching UK GDPR rules.
Key Takeaways
Collecting personal information from third parties can help businesses offer value and obtain personal data easily. However, this activity also has significant legal responsibilities under the UK GDPR. For instance, a business collecting personal data from third parties should conduct due diligence, determine the lawful basis for processing personal data, and ensure appropriate transparency information is provided to individuals. In practice, this exercise can be challenging for businesses, and you should take legal advice if you need support with understanding your obligations.
If you need help with UK GDPR compliance advice, contact LegalVision’s experienced data, privacy and IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.
Frequently Asked Questions
1. What is the UK GDPR?
The UK GDPR is a legal framework that sets rules for collecting and processing personal information within the United Kingdom. It aims to ensure personal data protection, data processing transparency, and individuals’ rights regarding their data.
2. Can I Collect Data from a Third Party?
Yes, you can collect data from a third party, but you must comply with the UK GDPR requirements. For example, informing individuals about the data collection, specifying the data source, and providing the purpose for data processing.
We appreciate your feedback – your submission has been successfully received.