We’ve reviewed our processes and identified a possible scenario whereby Third parties have their personal data disclosed to us by a customer. This will be when customers orders a personalised gift using the recipient’s personal data.
Within the General Data Protection Rules (GDPR) there is legitimate interest which allows for the processing of such data and the following is our legitimate interests assessment to support such processing.
Firstly
Why do you want to process the data – what are you trying to achieve? As a Business we have identified products that our customers like to give as gifts, these are personalised with details of the recipient’s Birthdays, Wedding Anniversaries, Name Days, Christening details etc.
Who benefits from the processing? In what way? The customer benefits from this by enabling a gift of greater value to the recipient than an item that contains no personalisation. We as a business also benefit from this as commercially we can offer gift ideas that better match what customers want.
Would your use of the data be unethical or unlawful in any way? The personal data would only be used to produce the personalised product ordered by our customer and as such would not be unethical or unlawful in any way.
Secondly
Does this processing actually help to further that interest? The ability to provide a commercial gift service is reliant upon customers being able to provide this information.
Is it a reasonable way to go about it? Yes, gifts are intrinsic with a surprise or trepidation; to have to rely on other forms of lawful process diminish the ability of gift giving.
To achieve the same result we do not believe there another less intrusive way.
A Balancing Test
What is the nature of your relationship with the individual? In this instance we have a third party relationship with the individual and are possibly acting as a data processor for our customer.
Is any of the data particularly sensitive or private? None by itself will be sensitive or private however when added to products (a named Christening gift is prime example) then sensitive data may be derived.
Would people expect you to use their data in this way? Gifts have become a tradition for many social events and as such we can see no reason why they would not expect such use.
Are you happy to explain it to them? This document is proof that we are happy to explain our use.
Are some people likely to object or find it intrusive? The majority would not however given the diverse nature of people it is possible an individual could object especially if they dislike the gift or find it inappropriate.
What is the possible impact on the individual? Use of their data in this instance will be minimal, with the details being added to a product that they subsequently receive effectively completes a closed loop system.
Are you processing children’s data? Yes with regard to fixed data and we do not offer information society services (ISS) directly to children
Are any of the individuals vulnerable in any other way? the collected data does not identify vulnerabilities thus although they may be there is no way to identify this through our processing.
Can you adopt any safeguards to minimise the impact? We plan to introduce a data cleanse of personalisation data after a short period of time after the customer has confirmed acceptance of the product.
Can you offer an opt-out? The only option for an opt-out would be a blank product.
LIA derived from the ICO Controllers Checklist
