As a follow up to a series of blogs published last year by Oliver Price, we have been keeping up to date with the latest General Data Protection Regulation (679/2016/EU) (GDPR) developments.
In July this year the Information Commissioner’s Office (ICO) issued their first enforcement notice under GDPR. The notice was issued against AggregateIQ (a company based in Canada), who worked on behalf of pro-brexit group, Vote Leave. Although personal data was collected and used prior to the GDPR coming into force, the concern is over the continued retention and processing of that personal data by AggregateIQ.
The ICO found that AggregateIQ had failed in the following ways to comply with the GDPR:
1.personal data of data subjects (including UK individuals) had been processed when they were not aware of said processing, for a purpose which they would not have expected and without a lawful basis;
2.the purpose for processing the data was incompatible with the purpose for which the data had been collected; and
3.by denying the data subjects the opportunity to understand what personal data about them may have been processed or exercise their various rights as a data subject, damage and distress is likely to have been caused.
Under the notice AggregateIQ has 30 days to cease processing any personal data of EU citizens for the purpose of data analytics, political campaigning or any other advertising purposes.
This is noteworthy to us, as questions were raised in a seminar we hosted around the international reach of the GDPR. As this is the first extra-territorial notice to be issued by the ICO under the GDPR, only time will tell.
We will be publishing further updates and providing clarity on the GDPR’s international reach as and when the position is clarified.
In the interim, if you have any GDPR related questions please contact a member of the Commercial team on 01380 733300 or email firstname.lastname@example.org