Skip to main content
Legal Advice Centre

Protecting your personal information online

Is your cat’s name protected by the GDPR? How is your personal information protected right now? Does Brexit have any effect on it? Who do you turn to if your rights under the GDPR have been violated?

Published:

Personal information

Let’s start by establishing what counts as ‘personal information’. Is your cat’s name personal enough that it would fall under the control of GDPR?

The easy answer – it depends! Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name, a number or other identifiers such as an IP address or a cookie identifier. If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.

So, if the name of your cat is all of the information about you that you have disclosed and it is not an extra unique name; then this is not exactly personal information. This is because you cannot be identified just through this information alone.
Protections in place

Great, we know what ‘personal information’ is. Now, what rules provide for its protection? For now, it is the European GDPR (General Data Protection Regulations) that we rely on and here are the most important take-aways:

  • Article 6 says that an individual must give express consent to the processing of the personal data for a specific purpose. This means that website admins cannot just assume that EU citizens consent to collection of personal data simply because they visit your website or use your app. You, as a user, have to actively consent to the collection and use of your personal data.
  • Article 15 requires website admins to make it easy for you (the user) to access your data after the website has collected it – or request to access it.
  • A user can also request that the website admins stop processing or sharing their information, even if the user had previously consented to the data processing methods (also known as Article 18 in action).
  • Article 17 spells out the many circumstances in which EU citizens can instruct the website admin to erase their data;
    • the personal data is no longer necessary for the purposes it was collected for,
    • the personal data has been unlawfully processed,
    • the data subject withdraws consent, and
    • if the data has to be erased in compliance with a legal obligation.

What happens after Brexit – international transfers

Although the UK is now “a third country” under the EU’s GDPR (i.e. a country outside of the EU without an adequacy decision), a provision in the agreement signed by the UK and EU in December 2020 secures an interim period of six months of unrestricted data flow between the two blocs. This means that until the 31st of July 2021 personal data is allowed to be transferred between the UK and EU unrestricted as before.

Ensuring an EU equivalent level of personal data protection is very important for the UK, as it is the only way to be deemed adequate by the EU and thus ensure the free, uninhibited flow of data between the two countries. In order to provide equivalent legislation to the European Union, the UK has decided to create a whole “new” domestic law known as the UK-GDPR (United Kingdom General Data Protection Regulation), which is essentially the same as the European original. It serves as a merger between two types of previous legislation in the UK, namely the European GDPR and the Data Protection Act 2018.

We have established that if the UK is granted an adequacy decision from the EU by the 31st of July 2021, there will be uninhibited flow of personal data information between the EU Member States and the UK, similarly to the way it was up until now. However, what will happen if the EU does not recognise the UK-GDPR as adequate legislation? In this case, the contracts for information exchange which UK companies have with European countries, will have to be altered to include the so called SCC (Standard Contractual Clauses). These basically provide safeguard on data protection for the data to be transferred internationally. Another option (if someone’s personal information processing is just a one-off) is to make the person whose data will be processed sign a consent form.

What do I do if I think my rights have been violated?

You can report your concerns and file a complaint against an organisation which is not complying with the data protection regulations to the Information Commissioner’s Office on this website: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/ .

Sources

By Bojidara Simeonova, Law Student at Queen Mary University of London

 

 

Back to top