The General Data Protection Regulation (GDPR) proposed by the European Union applies to all kinds of Personally Identifiable Information (PII) acquired from the public web. If an application intends to collect data from the web about citizens residing in the European Economic Area (EEA) then you need to design your Web application with GDPR compliance in mind.

If you are working with Werify (Info Science Labs Corporation) on a co-operative web application or an integrated project then we can work with you on legal terms to help you achieve GDPR compliance for your individual project. The task of ensuring that the collected Personally Identifiable Information (PII) is GDPR compliant completely rests with you. For projects where collection of PII is not a primary task, we can provide you with tools that will help you sort any accidental collection of PII that might subject you to GDPR.

What is GDPR?

The EU’s (European Union) GDPR explicitly outlines certain requirements that organizations or concerned individuals must adhere to for the collection, processing and transfer of PII (Personally Identifiable Information) about EEA (European Economic Area) residents.

Key Concept

GDPR underlines some key concepts or situations under which information available on the web that can identify a person can be processed or stored:

Consent has been acquired from the subject to which the data relates (very rare in case of Web-based data projects).

The data processing is necessary for the execution of a contract, compliance with a legal agreement, public interest, national interest or legitimate cause for the data processor.

In case you consider that you have a legitimate interest in collecting data over the web, there are certain examples that the GDPR puts up for efficient understanding of what constitutes legitimate interests. Your interests including all marketing interests should fit in those categories provided by the GDPR, although it is still required that your collection of PII should have minimal impact on the privacy of the data subjects.

What counts as a PII?

In the GDPR documentation, PII or Personally Identifiable Information is broadly defined as “any information relating to an identified or identifiable person”. This definition covers the generic personal information including name, residential address, contact number, identification number on different documents of proof, etc. Along with the above stated general terms, PII also constitutes information that may help in uniquely identifying a person including physical attributes, likenesses, etc. If such indirectly identifying PII is collected from the web in bulk, in an anonymous manner such that it cannot be traced back to a single person then GDPR may not apply in that specific operational condition. However, it should be noted that if a number of such attributes collected can be connected in a way to be traced back to an identifiable person then GDPR would be applicable to the data processing.

How to know whether GDPR applies to you?

It is relatively simple to understand whether GDPR applies to you or not. If your data collection project positively affirms to all or some of the following points then GDPR applies to you:

You collect web data that directly or indirectly relates to individual people and might be used to identify them.

The people you are collecting data about are EEA residents.

If you are extracting data in such a way which is making it possible to reach the individual concerned just by processing that data.

Your interests are in the legitimate interests acknowledged by the EU regarding the processing and collection of PII or EEA residents.

Some Instances

Not Affected by GDPR:

The data that you are collecting does not directly identify a living person on its own. Information and data about prices of products, store locations and information about companies, etc. come under this banner.

Extraction of user reviews by actual humans but the usernames under which the reviews are written are not sufficient enough to identify a real person.

Collection of data regarding the contact details of businesses and organizations.

Affected by GDPR:

The data that you collect has the names and contact details of the subject, or any other kind of information that can be directly traced back to the subject.

If the personally identifiable information (PII) is on a public website rendering it to be in public domain. In this case too, as the data can still be used to get to the original person, extraction of such information will still be subject to GDPR.

Data Processors and Data Controllers

Speaking in the context of your own Web-data collection project, you are the sole Data Processor and Data Controller. You are storing and processing the data collected from the web through Werify’s services which makes you the Data Processor. At the same time, you are also commanding Werify to collect such information on your behalf, making you the Data Controller as well. Werify is only a Data Processor as we only collect information and data when instructed to do so by our clients.

In case of any queries regarding this GDPR notice, please feel free to reach out to us. We’ll be happy to attend to your issue.