Can GDPR be misused? Yes, it can.

Yesterday, a company received an angry email from a lawyer. This is not irregular; people often get worked up about trivial matters. However, this instance was different.

A polite way to be aggressive

From the outset, it was evident that this individual was already operating at 110%. They were exceedingly polite, to the point where one might say they were “too polite”. They requested no further contact and the erasure of all data the company held about them. This request was not unusual.

The person responsible for compliance agreed, even though this was not a formal claim made to the compliance officer. The officer continued to explain their stance on the situation, stating that all non-essential personal data necessary to maintain a “do not contact” list had been deleted from their systems.

The lawyer imploded, and sent a threatening message to the company, stating:

"I know in which public register my personal data are located, for which I have given my consent. My personal data that is in your system is personal data, which you use without my consent, according to the interpretation you are trying to advise me. Given that you are willing to explain, I will give you the opportunity to discuss this with the Personal Data Protection Agency."

Ah, another tale of a bruised ego. However, if pursued, it could cause damage to the company in question. Let’s deconstruct this for clarity.

Consent

If the lawyer gave explicit consent for the public directory to publish his personal data, such as his name and email address, on their website, this could override any objection he might have regarding the use of his data by others.

However, it's essential to consider the context and purpose for which the consent was given. If it was solely for the purpose of the public directory and not for other commercial uses, the lawyer might still have grounds to object. It is fair now to ask ourselves, what exactly are “other” commercial uses?

If the public directory was created with the purpose of enabling contact with a certain group of individuals, what is then being infringed?

Purpose limitation

The GDPR mandates that personal data should only be collected and processed for specific, explicit, and legitimate purposes. If the company using the lawyer’s personal data obtained it explicitly from a public source and is using it for a purpose unrelated to the public directory, it could be a violation of the GDPR, even if consent was initially given.

Right to object

The GDPR grants individuals the right to object to the processing of their personal data, particularly if it’s being used for direct marketing purposes or if there are legitimate grounds relating to their particular situation. The lawyer may argue that his objection is valid based on these grounds, even if he previously consented to the publication of his data.

Right to erasure

The GDPR grants individuals the right to request the erasure of their personal data under certain circumstances. However, this right is not absolute and may be subject to exemptions, such as when processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. Therefore, the company may argue that they have a legitimate interest in retaining the lawyer’s data for compliance purposes.

Professional use

In the case of a lawyer, whose professional contact information is typically publicly available for the purpose of conducting business, there might be some nuances regarding the application of the GDPR.

While the lawyer’s professional contact details may be publicly accessible, the GDPR still applies to their personal data if it’s being used in a manner that goes beyond the intended professional context.

Lets discuss this

So, the lawyer actually gave their permission for their personal data to be published on at least one internet location. However, that doesn’t explicitly allow anyone to use this information for any purpose.

That doesn’t say anything about the information that is available through other means, for example, through their website or Google Business listing.

It is a fact that their contact information is a matter of public record by their own free will, unless someone else impersonated them while signing the waiver or entered their data into their website or listing. The data exists out there and it is to be used by anyone that has a legitimate interest.

Secondly, another important thing: lawyers are a professional service, and are more like a company. They are not directly comparable to a regular person. There is no law against offering something to them, or anyone else, as long as everything is done in a civilized and lawful way.

Legitimate interest

Under GDPR, processing personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Maintaining a "do not contact" list is considered a legitimate interest, especially for compliance with regulations and to respect the preferences of individuals who have opted out of receiving communications.

Purpose

If the purpose aligns with the legitimate interests of the data controller or a third party, such as conducting market research or improving services for lawyers, it may be considered legitimate under GDPR.

Almost anything related to the betterment of a certain targeted group can be considered a legitimate interest. Just the complexity of the situation falsely gives the upper hand to this lawyer because they are the examinee.

Conducting surveys or gathering data for research or analytical purposes can be considered a legitimate interest under GDPR, especially if it serves a legitimate purpose and does not unduly infringe on the rights and freedoms of the individuals surveyed.

This person could have deleted that mail and they wouldn't be damaged in any way, or they wouldn't damage anyone else by doing that. But no, they have decided to act like someone is holding their head to the screen, forcing them to do something against their will.

A quick "delete" or "mark as spam" would suffice, but then their beach muscles wouldn't be on display. Now you'll see, I will tattle to the teacher.

Data principles

The principles of data protection, including transparency, data minimization, accuracy, and security, should be upheld throughout the data collection process. Data subjects should be informed about how their data will be used and should have the opportunity to opt-out if they do not wish to participate.

The company didn't collect more data than necessary for the intended purpose, and the data collected should be limited to what is directly relevant to achieving that purpose and it is easily proven. It even states this in the opening letter.

All that was directly asked from this lawyer was voluntary and consensual. They objected and the company complied, stating that they will limit or minimize their data to a size only necessary for compliance.

The context is quite important

The lawyer’s bluster was unfounded, and it made them mad and vengeful. They were proven wrong, and people don’t like to be wrong, especially if something is considered their profession.

The lawyer went on the warpath, misusing their influence and social position.

They even misunderstood the very important obligation that a compliance officer has to transparency, when they stated what is in the interest of the examinee, and which they understood as “talking back”. And you don’t talk back to deities.