CheCklist:
23 Questions on
Big Data anD law
02 taBle of Contents
04 foreworD
05 01 what is Big Data?
06 02 whiCh Different types of Data exist in marketing, for example?
07 03 whiCh legal regulations are relevant?
08 04 whiCh Data ColleCtions or analyses reQuire Consent?
10 05 is Data personal Data, if ConClusions Can Be Drawn aBout an inDiviDual from a Chain of Data?
11 06 is there a tie-up Between Data for a speCifiC purpose or Can the ColleCteD DataBe generally useD anD analyseD?
12 07 Can i merge all Data? Can i partiCularly aDD/synChronise external Data anD Can i merge Data sets, if i Believe that they Come from one anD the same Customer? 13 08 Can i use insights from the analysis for Customer profiling?
15 09 Can i Carry out all types of analysis?
16 10 when Do i neeD an opt-in for Data storage anD Data analysis anD what must Be inCluDeD in the opt-in to proCess Data?
18 stefan von lieven on Big Data
19 11 whiCh Data from a ContraCtual relationship Can i use
for analysis or Customer profiling?
20 12 how Do i hanDle automateD DeCisions from the analysis?
21 13 are there partiCular regulations when hanDling Behavioural proBaBilities? 22 14 Does the Country where i store or analyse the Data play a role?
23 15 Can a Customer oBjeCt to Data storage?
24 16 is the pseuDonymous/anonymous proCessing of Data volumes permitteD
for marketing researCh purposes?
25 17 Do i neeD to allow a person to oBjeCt to Data analysis (profiling) of his personal Data?
26 18 Can i Determine Categories for a target group BaseD on personal Data (Clustering)?
27 19 Can i merge the Data ColleCtion anD analysis in a BlaCk Box without Consent? 28 20 Do i neeD to allow an inDiviDual aCCess to his personal Data?
29 21 how fast anD how extensively Do i neeD to allow the Deletion of personal Data anD/or how long Can i store this Data?
30 22 whiCh teChniCal anD organisational measures Do i neeD to take in orDer to proteCt Data (inCluDing from internal Departments)?
31 23 whiCh reQuirements on Big Data result from the Current version
of the european Data proteCtion regulation?
Big Data is currently a hot topic. in the digital economy, Big Data has become an essential value-adding factor which can hardly be ignored by a company. however, the collection and processing of large data amounts is subject to a number of legal regulations, especially in a commer-cial environment. the following checklist will help you to avoid legal pitfalls when handling Big Data.
“Big Data is a topic companies can hardly avoid nowadays, especially in the digital economy. at the same time, the sensibility for data protection is increasing in the media, the public, with legislators and decision-makers in com-panies. our experience based on our consulting practice shows that data protection has now become a key topic at the level of management and board. the reason is that the correct use of Big Data has become an essential competi-tive advantage and secondly, that legal security and data protection are indispensable in the Big Data environment. Most companies in the market generally have a very good understanding of data security. new developments, such as Big Data, however, can lead to uncertainty. which data collections or analysis require consent? is there a bond between data collected for a a specific purpose? how do we deal with automated decisions from the data analysis? these and other questions will be answered in our checklist“.
Dr. faBian niemann (BirD & BirD)
email: [email protected]
foreworD
the number of data-producing applications and terminal devices is constantly increasing while at the same time, the cost of storing and processing large data amounts is decreasing. this leads to a continuous increase of the amount of collected data, especially in companies, but also public authorities, in research and other institutions. this phenomenon is currently being discussed under the keyword “Big Data“. according to a survey by iBM, managers sum
Big Data up with terms, such as “large range of informati-on“, “new types of data analysis“, “real-time informatiinformati-on“, “modern media types“, “data influx“, “large data volumes“
or “data from social media“. the definition by the Research services of the german Bundestag is as follows: “Big Data refers to large data volumes from manifold sources, which can be captured, distributed, stored, searched,
01
what is Big Data?
analysed and visualised by means of newly developed me-thods and technologies.“
Big Data is no longer only a topic of information technolo-gy. Data collection and processing is not an end in itself. it is more and more the foundation to generate information from which we can retrieve knowledge to meet company goals in our everyday work life. however, it is also being applied in other areas of life (e.g. medicine or cars) and is constantly changing our world. Regarding the achievement of economic goals, Big Data must primarily be target-oriented. in particular in marketing, Big Data stands for understanding and therefore opens up new potentials, which have a direct effect on the turnover.
Data does not equal data. especially in marketing, this is not only about collecting any data but collecting the right data, which can then be used appropriately. Marketing-relevant types of data include:
usage/response data in digital channels (e.g. email, social media, website): opens, clicks, conversions, social shares, visited websites, etc.
technical data: iP address, browser, terminal devices, email client, installed plug-ins, etc.
transaction data from online shops: purchased items, generated turnover, last purchase, return rate, purchase frequency, price sensibility, etc.
location-based data: Fixed location (identified via iP address), mobile location (identified, e.g. via gPs or Bluetooth) etc.
socio-demographic data: age, gender, city of residence, marital status, profession, etc.
02
◊
◊
◊
◊
◊
whiCh Different types of Data
exist in marketing, for example?
to be stored and used as little as possible. when possible, data should always be anonymised. the data protection law is generally obsolete and not suitable for current technical and technological developments, such as Big Data or Cloud Computing, and we must fear that possible adaptations, e.g. in the context of the planned eu general Data Protec-tion RegulaProtec-tion, will not facilitate the use through the busi-ness). the currently applicable law therefore needs to be interpreted in the light of technological and social develop-ments and we need to find a compromise between (rigid) data protection and the reality of Big Data applications. Furthermore, the data protection provisions of the german telemedia act (tMa), which apply to suppliers of products or services through a website, may also become relevant. and last but not least, the german Civil Code may play a role, particularly the regulations on material property, as this property can also consist of data and data carriers. examp-le: when the automotive or insurance industry accesses in-car data in the field of telematics (a black box), the question is whether or not this is an intervention in the property of the vehicle owner and requires his consent.
the general law applies to “Big Data“. there are no spe-cial legal regulations within german law. For the storage and commercial use of Big Data, the Copyright and Data Protection act are of particular importance. Furthermore the telemedia act and the general civil law (namely the german Civil Code - BgB) are relevant. these laws re-gulate in particular who the data belongs to and to what extent companies can make use of it.
the Copyright law applies when audio, video and image files or larger texts are to be processed or transmitted, i.e. works which are subject to copyright. in this case, the use of the corresponding Big Data may only be possible with the explicit consent of the right holder (see question 4). individual information/data (and with it a large proportion of Big Data), however, is excluded from the copyright law and is therefore not subject to the copyright limitations. however, collections of data can be protected by copyright or as a database. when a complete data collection or data-base (or substantial parts of it) are imported, the above-mentioned copyright limitations will apply after all. when collecting, storing, processing, using and transfer-ring data, you must also comply with the regulations of the german Federal Data Protection act (BDsg). the concep-tion of Big Data to collect and use as much data as possi-ble creates a natural tension with the existing principles of the german Data Protection act which operates on the principle of data minimisation. this means that only perso-nal data which is required for the specific process is to be collected and processed and, generally, personal data is
04
whiCh Data ColleCtions or analyses
reQuire Consent?
the collection and processing of general personal data, i.e. particulars regarding personal and material circumstan-ces of an identified or identifiable individual (name, address, email address, marital status, occupation, iD number, insurance number and telephone number) require the prior consent of the person concerned, unless this is legally permitted under the Federal Data Protection act (BDsg).
•
•
general personal data is, initially, in particular contract data, i.e. data which is necessary for the establishment, contents or alteration of a contract between the service provider and the person concerned regarding the use of telecommunications services (e.g. name, age and address of the person concerned).•
•
general personal data is also usage data which is initi-ally required to allow telemedia to be used and which is required for billing for these services (characteristics for identifying the person concerned, information regarding the start and end and the extent of the respective use and information regarding the telemedia used by the person concerned).•
•
inasmuch as such data is stored and used outside the actual purpose of the contract, as part of Big Data ana-lyses and applications, consent is required for this from all of the individuals whose data is concerned. this does not apply however when the use of this data is covered by statutory permission. normally, only the so-called ba-lancing of interests in pursuance of section 28 (1) (2) of the copyright law (where relevant), data protection lawand civil law apply here.
according to the copyright law, any usage of copyright-protected works which is of relevance under copyright law (in particular the storage of data and its making available to the public) (see question 3) is basically only permitted with the explicit consent of the holder of the exploitation rights to these works. without such consent, the relevant usage is only permitted to a very limited extent and within the limiting provisions of copyright law, especially – under certain circumstances – for scientific or private use. the commercial use of copyright-protected Big Data will, on the other hand, regularly require the consent of the right holder. it is important that information/data per se is not covered by copyright (unless essential parts are acquired from databases or collections) and, therefore, copyright restrictions do not apply.
however, as far as purely anonymous data is not used but, instead, data which can be assigned (in part) to individuals (as is generally the case with Big Data), the data protection legislation is to be observed in each case. german data protection law is based on the fundamental concept that it is prohibited to collect and use data. exceptions to this prohibition include certain statutory permission provisi-ons or the cprovisi-onsent of the person concerned (justification under data protection legislation). the requirements differ according to whether the data is general personal data or so-called location data or traffic data.
of an end-user of a publicly available telecommunications service, may also only be collected and processed with the consent of the person concerned and only to the extent necessary for the operation of the service. as usual, processing of this data is possible without consent, if the data has been anonymised.
the Federal Data Protection act is considered in this case. according to this, the use is permitted if the legitimate interests of the user in using the data outweigh those of the person concerned. however, a strict standard, which can frequently be fulfilled within the framework of use for research, medical purposes or similar, does not regularly apply in the case of purely commercial use. anyone wanting to play it safe either requires consent or must make the data anonymous. in any case, it is always necessary to examine the individual case; as is mostly the case, general answers are out of the question when it comes to data protection laws.
traffic data, i.e. data which is collected, processed or used during the provision of a telecommunications service – the telecommunications service used, the number or identification of the participating terminals (the caller and receiver of the call), personal authorisation identifiers, the card number (if using customer cards), any location data (in the case of mobile phones) as well as the start and end of the relevant call (date and time) may only be collected with the consent of the person concerned. the processing of this data for marketing purposes also requires the consent of the subscriber concerned. in addition, the data of the receiver of the call (the other party who cannot, in practice, give his/her consent) must be immediately made anonymous.
location data, i.e. data which is collected or used in a telecommunications network or by a telecommunications service and which indicates the location of the terminal
◊
05
is Data personal Data,
if ConClusions Can Be Drawn
aBout an inDiviDual from a Chain of Data?
the extent to which the specific data-processing agency is able to identify a specific individual (“subjective data term“). external information is not relevant according to this view. according to this view, in particular the iP address is not personal data (except for the internet service provider in the case of individual connections), as it is merely a series of numbers which will not enable a person to be identified, even in connection with the detail that a specific website is accessed at a specific point in time.our view is that both sides are too general and unilateral. a mediatory solution would better serve the interests. Firstly, we need to identify, from the point of view of the respective data processor, whether or not the data is personal. third-party data may be relevant here, too, if it is obvious that this party has access to the data and is able to use it to identify a specific individual. (only) if this is the case should the data be classed as personal and, as a result, the data protection requirements (including consent oftentimes, see question 4) must be met. in the case of Big Data, this means that when in doubt personal data is involved, as generally there is a mixture of several data types. a personal reference can be excluded if the data had already been anonymised prior to processing (see question 8). anonymisation in our view, however, does not refer to the strict concept of most data protection au-thorities, but to our mediatory view presented here. if you do not wish to incur any risks, you should use the stricter benchmark as a basis.
the data obtained from a person does not necessarily lead directly to conclusions being drawn about their identity. it depends on the individual case. the applicable standard is disputed. in particular, it is debatable whether an anony-mous item of data per se, such as the iP address of the owner of a website, can be an item of personal data, if a third party (in the case of iP addresses: the internet service Provider) can assign this.
the german and european regulations are inconclusive in this respect. Basically, three different approaches are represented in legal literature, by the data protection authorities and by the courts.
the approach adopted by most data protection autho-rities is very simplistic and (too) restrictive. they assume that it is sufficient, if it is theoretically possible, in objective terms (so-called “objective data term”), to identify a spe-cific person from a single item of data, even if the person or company using it requires information from third parties. this is true regardless of whether or not it is likely that such collaboration ever takes place. this may be relevant in the case of Big Data applications which allocate iP addres-ses to profiles or otherwise use these. according to this view, a person can, in addition to iP addresses, also be identified based on the following data: browser fingerprints, mobile radio data, vehicle data (vehicle number, licence pla-te, etc.), devices fitted with an RFiD-chip and pseudonyms. according to the liberal opposing view, when dealing with the question of personal data, we only need to consider
◊
◊
the principle that data is only to be used for a specific purpose applies in data protection law, i.e. data can only be processed for the specific purpose for which it was collec-ted. During the collection of data, the person concerned is to be informed of the purpose for this collection, proces-sing and use of data.
if the data is used to fulfil your own business purposes, i.e. in connection with the handling of contracts or the ma-nagement of customer contacts, a subsequent change of purpose is permitted. Changing the purpose is permitted, if a legitimate interest of the processing authority, a third party or the public exists.
however, a general retaining of data cannot be considered according to the above-mentioned principles of change of purpose. the data processing authority is still obliged to specify a certain purpose for the retaining of data. this does not apply when the data is exclusively anony-mous data.
For Big Data, this means that when in doubt a new data protection justification must be found prior to processing the data (see questions 4, 9, 17). this results from the fact that all data contained in the data pool may have been collected for a different purpose than the purpose for the processing of this data.
06
is there a tie-up Between Data
for a speCifiC purpose?
the same applies to the enrichment of external data, e.g. updating postal addresses or credit history informa-tion, as well as to the enrichment of email addresses via the social networks used, as long as this information is not generally available.
however, the merging of data saved in list form with information, which is freely available in the internet, is still permitted without consent for the purpose of promoting the services of the online shop provider as a responsible authority under data protection laws.
Data on customers is generated in different places and for different purposes. in connection with Big Data there is, in fact, a difference between whether a data pool whose data is to be analysed already exists, or whether it needs to be created first. if the data pool does not contain only anonymous data, you must enquire separately, for each individual case, whether a data protection justification for the use as well as a data protection justification for the possible upstream merging of data exists. You must parti-cularly bear in mind the following points:
generally, the principles of purpose and data sepa-ration applies, i.e. the data can only be processed for the purpose for which it was collected. therefore, different data sets generally need to be managed independently. the merging of data is only permitted, if a separate data protection legitimation (either consent or legal justification, see question 4) exists. Commercial use, e.g. using data from a shop purchase profile in a newsletter, is generally only permitted after the recipient has given his consent (see question 4).
the consent does not need to be obtained separately, but can be part of the data use agreement within the con-text of the newsletter subscription or the shop registration process, as long as the purpose of this consent is clear and comprehensible. when the person concerned, e.g. during registration in a shop, accepts the data use agreement, he also authorises the provider to merge his data.
07
Can i merge all Data?
◊
◊
◊
◊
Can i partiCularly aDD/synChronise external Data anD Can i merge Data sets,
if i Believe that they Come from one anD the same Customer?
08
Can i use insights from the analysis
for Customer profiling?
Furthermore, the person concerned must be informed about the profile creation and his right to object (“opt-out“). if the party concerned exercises his right to object, the creation of such usage profiles is not permitted.
when creating the profile, all usage data (with the excep-tion of the contract data) may be used. the possibility of creating a profile is limited, as it is only permitted for the purposes of advertising, market research or tailor-made design of the telemedia. Profiling for other purposes is not allowed without the individual‘s consent.
however, when personal behaviour-related data is collected, explicit and separate consent is required. Personal behaviour-related data is data which links the usage data to a specific email address, e.g. click data, conversions or activities on a linked page.
it is also important to collect and process data according to the type of consent. Behaviour-related data, such as the last click, cannot be captured or processed, if the person concerned has not given his consent.
user profiles can generally be created independently of the above-mentioned preconditions as long as the person concerned has given his effective consent (i.e. voluntarily and based on a comprehensible and specific consent form, see question 10).
when creating user profiles, we generally need to establish whether or not we are dealing with personal data (see question 5) and whether or not the person concerned has given his consent:
the use of non-personal data without the individual‘s consent is admissible when the data has been made anony-mous.
according to the requirements of the Federal Data Protection act, anonymised data exists when the corres-ponding individual details can no longer be assigned to a specific person or this would involve a disproportionate effort. when individual details cannot be assigned to the person concerned (so-called “real anonymisation“), this data may be used without limitation for web analyses and can also be transmitted to third parties (for more details on the requirements of anonymisation see question 5). since the identification of the person concerned is ruled out here, consent from the individual is not required for user profiling.
without the consent of the person concerned, personal data can only be used for the creation of usage profiles in compliance with the telemedia act when the data is pseudonymised. Data is pseudonymised, if the name or another identifier is replaced by a substitute, so that the identification of the person is either impossible or at least rendered considerably more difficult. linking the pseudo-nymised usage profiles with the bearer of the pseudonym is generally prohibited.
◊
◊
◊
the principle of data minimisation and data avoidance must be kept in mind, i.e. only collect the amount of behavi-our-related data which is absolutely necessary.
in the case of Big Data, the above means that the data contained in the pool is to be checked individually for what type it is and whether a relevant data protection justification exists for each type of data. there is no general answer.
◊
09
to individuals who are not currently logged in to the plat-form or those who are not even registered with the service. the legal classification of these buttons is highly disputed. since the iP address has been collected and stored here so that the person concerned can be recognised when he re-visits the page and the data is also transmitted to the social networks, it is recommended that you obtain the person‘s consent, if you agree with the conservative view (and most data protection authorities, see question 5) of treating the iP address as personal data. one option would be the so-called 2-click solution. the first click on the buttons activates these. Prior to this, no data transfer takes place. activation is equivalent to the consent of the person concer-ned. with a second click, the person concerned can then use the function behind the button.
in so far as it is necessary for the utilisation of a web-site to involve geo-localising (e.g. with services which supply offers linked to locations, e.g. “where is the nearest cine-ma?“) or to re-identify the person concerned, this is permit-ted within the framework of such services, as long as there is an overriding reason to link the data with the person con-cerned in order to provide the service. however, this is not permitted for the creation of a profile for marketing purpo-ses. whether there is an overriding reason or not is usually assessed by the specific case, i.e. the type of service. apart from the “terminal device detection“ and “geo-localisation“ which may be permitted without consent, services such as “social activity detection“ or “advanced fingerprinting“ are other services which are only permitted with the consent of the person concerned. this consent is particularly required when user profiles are created through a third-party company. the general law applies to Big Data. therefore, not all types
of analysis of the data contained in the data pool can be carried out. which type of analysis is allowed depends on the type of data in the data pool (see question 4). usually, we are (also) dealing with personal data and a data protection justification (see questions 4, 5) will be required for proces-sing. the following examples serve as a guide:
if you analyse behaviour data such as conversion rate, number of visitors on a website, click rate, clicking order, search terms by means of web analysis tools such as google analytics or Piwik, this will be permitted as long as the per-son concerned has been informed about the data collection and analysis and his right to object at the beginning of the process, i.e. when the website opens and before any of his data can be saved. if the person concerned objects to the use of his data or the setting of the required cookies, his data cannot be used.
however, when cookies are only used for the purpose of enabling the website visit (e.g. session cookies), the person concerned does not need to be informed about this and has no right to object.
generally, only those data evaluations which assist adverti-sing and market research as well as the needs-oriented de-sign of the website may be carried out during web analysis. when social media plug-ins are embedded in your own website (e.g. facebook “like“ button), data will be trans-mitted to social media independently whether or not the person concerned activates this button. this also applies
◊
◊
◊
10
the customer needs to be informed about the purpo-se of the data processing, e.g. the collection of location data or analysis of click behaviour for customer-specific special offers. when the data is collected or processed for more than one purpose, you will need to name these diffe-rent purposes.
within the framework of consent, the customer will also have to be informed about his right to object. this right to object can be problematical in the case of Big Data, as it is possible to object at any time and the data of the person concerned will then have to be removed or at least separated from the data set.
For a legally compliant proof of consent, german law only allows for the double opt-in procedure in the context of emails. it is argued that this is the only way to ensure that it is actually the person who owns the email account who is giving his consent. this procedure prevents a non-au-thorised person from subscribing a recipient - via a freely accessible form - e.g. to a newsletter. every consent of a recipient must be carefully logged, so that the sender is able to prove at any time that he has obtained legitimate consent. For a legally compliant consent via double opt-in, the following applies:
the recipient will receive a confirmation email after his subscription, in which he is asked to re-confirm his consent via a link.
generally, the consent of an individual to collect and further use his data is not always necessary. Data collection and usage may also be permitted where there is a legal justifica-tion (see quesjustifica-tion 4). however, it can be dispensed with in the case of purely anonymous usage (see question 5). if consent from the person concerned is required, this must be voluntary and transparent for the person concerned and explicitly given.
the consent must be voluntary, i.e. given without com-pulsion. Consent is not voluntary when the person concer-ned had no other choice, which did not result in serious disadvantages. Consent is not voluntary, for example, when an employer exerts pressure on an employee or when consent is linked to the supply of essential products or services (especially general interest social services such as energy, supplies, bank account), however consent is voluntary in normal business. according to the prevailing and correct view, you as a normal provider can make your services dependent on data protection consent.
For consent to be legal, a recipient must explicitly ag-ree to data processing. this consent cannot be part of pre-formulated contractual conditions or derived from another context. when the consent has to be explained in writing together with another explanation, it needs to be clearly identified or highlighted. Consent should therefore always be obtained separately and actively, i.e. the required check mark (opt-in) should not be set automatically so that the customer will need to remove it.
◊
◊
◊
◊
when Do i neeD an opt-in
for Data storage anD Data analysis?
what must Be inCluDeD in the opt-in to proCess Data?
the confirmation email must not contain commercial content.
the log must include the type and scope of the consent (i.e. the specific data use agreement which the recipient has given his consent to), as well as the time when the consent was given, the iP address and the collected data. in the case of Big Data, in addition to the above-mentioned risk of objection, the requirement for obtaining consent creates, in particular, the problem that the purpose of data processing might only come into effect at a later point in time or that it is no longer possible to obtain consent for all the data contained in the data pool due to practical reasons. nevertheless, it is recommended that consent be obtained where possible.
◊
◊
“successful marketing is now strongly data-driven. the market is changing and customers are expecting a sig-nificantly more personal and relevant approach. this is only possible with a valid and substantial database. it is a necessary precondition in order to control and optimise marketing measures in a digital, highly responsive and targeted way.
however, Big Data does not only stand for the collection and understanding of data. the actual possibility of using this data for marketing is becoming the important third pil-lar. this utilisation involves the planing and implementation of data protection aspects. the specific objectives are the legally compliant collection of consent and the processing of data in compliance with data protection: legal Big Data. if you miss out on obtaining the relevant consent to per-sonal, data-supported marketing, you may not be able to use your collected data in the future. legal security in the context of Big Data is therefore becoming a decisive competitive factor.“
stefan von lieven (Ceo artegiC ag)
11
the general principles apply to all data collected within the context of a contractual relationship (see questions 3, 4). the existence of a contractual relationship per se does not provide a basis for a justification concerning data protec-tion, copyright or material property.
whiCh Data from a ContraCtual relationship
Can i use for analysis or Customer profiling?
exceptions are particularly important in the case of an automated conclusion of the contract on the internet, i.e. when the person concerned accepts an offer after conclu-ding a contract.
legitimate interests are, in particular, to be protected by subjecting the automated individual decision procedure to a prior check, for example when it is a question of evaluating the personality of the person concerned.
the Federal Data Protection act (BDsg) also grants the person concerned a right to information regarding the logical structure of the automated data processing. in addition, the german telemedia act (tMg) includes a requirement for the data processing agency to inform the person concerned, if data processing is carried out by means of automated procedures.
12
when handling the automatic analysis of data, the same principles that apply to other data also apply to Big Data. when data is automatically collected and processed without the necessity of an individual decision by the data proces-sing authority on the individual process, e.g. in the case of the automatic synchronisation of new customer data with existing data, the law places special requirements on the use of the results.
generally, the german Data Protection act stipulates that decisions, which may entail legal consequences for the per-son concerned or significantly affect him, may not be based on the automatic analysis of personal data. this principle reflects the issue that the automated analysis of data is based on the recognition of certain patterns and is proba-bly not able to detect special individual cases. this is the case, in particular, with scoring procedures which evaluate the creditworthiness of a person based on mathematical-statistical procedures.
in exceptional cases, automated decisions may be used when
the decision is to be made within the framework of a contractual or other legal relationship and is in favour of the person concerned or
when the safeguarding of the individual‘s interests is otherwise guaranteed.
how Do i hanDle automateD DeCisions
from the analysis?
◊
13
are there partiCular regulations
when hanDling Behavioural proBaBilities?
You must take into account the fact that the data to create this probability value needs to be collected and stored in a legally compliant way in the first place (including consent of the person concerned, see question 4)
these requirements do not apply e.g. to customer-specific advertising based on previous purchase behaviour (“beha-vioural advertising“).
there is an option to have a third party, e.g. a credit agency (sChuFa), carry out the probability calculations.
•
•
however, if you transmit your own data to this credit agency you must bear in mind that the customer needs to give his consent.if specific probabilities play a role in processing Big Data, no particularities apply here. instead, the general regula-tions of the german Federal Data Protection act on hand-ling probabilities must be observed. we can distinguish between a number of different scenarios as follows:
if the analysis merely involves handling anonymous data, e.g. for the purpose of counting visitors on a website or similar, no specific data protection requirements apply
however, when the personal data is analysed in such a way that a probability value for a specific future beha-viour is established (scoring), the law provides for the following requirements:
•
•
the calculation shall be carried out through a scientifically recognised mathematical-statistical procedure;•
•
only data which is suitable for the calculation of the be-haviour may be processed; probabilities may not be iden-tified, e.g. merely based on address data or skin colour;•
•
if address data is used, the person concerned is to be informed about the use of the data prior to processing and this information is to be logged;•
•
the determination of probabilities must serve the purpose of reaching a decision on the establishment, execution or termination of a contractual relationship.◊
14
Does the Country where i store or analyse
the Data play a role?
Finally, for data collection and processing outside of the eea, stricter data protection requirements apply when the data is not exported from the eea by the person con-cerned but by third parties (e.g. in the case of data mer-ging of eea data into a us data pool or remote access to eea data pools by agencies outside the eea). the transfer to non-eea agencies of data collected within the eea or the access to this data through non-eea agencies is only permitted, if the additional requirements according to the eu Data Protection Directive are met. in the context of Big Data, the eu standard contractual clauses as well as the safe harbour Principles are relevant. the former are pre-formulated contractual clauses endorsed by the eu, which are to be concluded between the data exporter based in the eu and the data importer based outside the eea, and state that the importer principally undertakes to comply with the european Data Protection Directive regarding the exported data, including (as a contract for the benefit of a third party) the right of the person concerned to proceed against the importer in the case of violations. the latter is a self-commitment which – based on a bilateral agreement between the usa and eu and under the supervision of the us Federal trade Commission – only allows american companies (with the exception of some industries such as telecommunications and banks, for which the FtC is not re-sponsible) to subject themselves to the eu Data Protection Directives regarding data obtained from the eu.
in addition, the person concerned must be informed prior to the data processing procedure, if data processing is to take place outside the eea.
the country where the data is processed does play a role in terms of data protection, copyright and material property.
the territorial principle applies in data protection as well as copyright law, i.e. the law of the country where the relevant handling (storage or other relevant usage, see question 3) takes place applies. accordingly, german copyright and, generally, also german data protection law (exception below) is always to be observed when the data is stored or used in germany.
in addition, the german data protection law applies, when data is captured by providers in germany or collected from germany by means of technical tools.
Finally, german material property law applies when the data comes from black boxes or other data carriers which are the property of the person concerned.
an exception to the territorial law applies in data protection law when a company based in the european economic area (eea) collects, processes or uses data in another eea state. in this case, the country of origin principle applies (only in the data protection context). the background to this is the sufficient harmonisation of the Data Protection law in the eu/eea from the viewpoint of the eu Data Protection Directive (adopted by the eea states), which sees it as sufficiently adequate when a provider adheres to his local law.
◊
◊
◊
◊
◊
◊
15
Can a Customer oBjeCt to Data storage?
Regardless of whether or not the data storage takes placewithin the context of Big Data, the following rules apply regarding the possibility of objecting:
when the data storage takes place based on the consent given by the person concerned, this person must be able to object to the storage of his data. objecting to consent to data storage must not result in a disadvantage for the customer.
if we are dealing with data which is necessary to con-clude a contractual relationship (see question 11) or which has already been made anonymous (see questions 16, 18), this right to object of the person concerned becomes null and void.
◊
16
is the pseuDonymous/anonymous proCessing
of Data volumes permitteD
for marketing researCh purposes?
anonymised as well as pseudonymised data may be used formarket research purposes under certain circumstances. the following applies:
the processing of anonymous data is generally allowed without consent from the person concerned (see questions 5 and 8).
the processing of pseudonymous data is also possible without consent from the person concerned as long as it only involves usage data (i.e. attributes for the identifica-tion of the person concerned, details on the start and end as well as coverage of the corresponding usage and details on the telemedia used by the person concerned). however, the person concerned must be informed about the data processing for marketing research purposes and his right to object.
within the context of Big Data you might have to differentiate according to the type of data.
◊
if we are dealing with pseudonymised data, the decisi-on regarding objectidecisi-on will need to be made after weighing up the interests. here, we need to weigh up the interests with respect to the non-collection of data of the person concerned against the interests of the company. the time of the objection or the type of data usage by the data pro-cessing agency may play a role here. see also question 16. when collecting or storing data, the person concerned must be informed about the purpose of this collection or storage. the processing of data and the creation of a profile must be specified as a purpose. the person concer-ned must also be informed about his right to withdraw any previously given consent.
17
Do i neeD to allow a person to oBjeCt
to Data analysis (profiling)
of his personal Data?
Data analysis can generally only take place with the consent of the person concerned or based on a legal permission. to assess the lawfulness of an objection we must therefore dif-ferentiate depending on the legal basis of the data collection and storage:
if the data collection and storage is only possible with the consent of the person concerned, then data cannot be processed without this consent.
if the collection of data was necessary to enter and fulfil a contract with the person concerned, this permission barely extends to the analysis of data as we cannot assume that the data analysis is necessary for the execution of the contract.
◊
◊
18
Can i Determine Categories
for a target group
BaseD on personal Data (Clustering)?
in clustering, every person is assigned to a specific groupbased on his behaviour. legally, this procedure presents a modification of data as the informational content of the data is changed by assigning an individual to a user group. the requirements regarding the modification of data provi-ded by the german Federal Data Protection act correspond to those regarding the processing of data, i.e. in any case a data protection justification either in the form of the consent of the person concerned or a legal justification must exist. even when a data protection justification for clustering exists, this does not necessarily cover the required use of the data obtained for customer profiling or for direct mar-keting. a separate data protection justification is necessary (see checklist on email marketing).
19
Can i merge the Data ColleCtion
anD analysis in a BlaCk Box
without Consent?
the general directives apply to the analysis of black box data: a data protection justification is required, either in the form of a statutory justification or the consent of the person concerned. however, this does not apply when the data is completely anonymised.if, for example, an accident data recorder from a vehicle is to be evaluated, a data protection justification is required. in addition, we face the problem of proprietary allocation of this data, which e.g. in the case of private vehicles will logically follow the rights as the driver, keeper or owner of the vehicle. this results in a consent requirement regarding data processing.
the information on the origin of data may be refused, if it would involve disclosing a trade secret, which overrides the interests of the person concerned in the disclosure. access to personal data must be granted on request by the person concerned once a year free of charge. Further access may incur a fee for the customer. the customer must be informed about this.
the granting of these comprehensive rights to information and the practical and organisational hurdles related to this can be avoided, if you only store and process anony-mous data.
20
Do i neeD to allow an inDiviDual
aCCess to his personal Data?
Regarding the right to information of the person concerned, Big Data follows the same rules as other data collections and processes.
the person concerned generally has a right to information with respect to everyone who collects, stores, processes and transfers his data to third parties. on request the following information must be provided:
which data regarding him is stored, where this data was collected, to who this data is transferred, for what purpose it was stored.
◊
◊
◊
◊
the data protection justification for storage exists. in practice, however, you will need to use groups as it is not feasible otherwise.
Data which has been stored for security purposes may still be stored for an appropriate time, mostly for technical reasons. in this case, you must ensure that this data can only be reconstructed in a security case.
either way, the indefinite storage of personal data is not permitted, regardless of the consent given by the person concerned.
21
how fast anD how extensively Do i neeD
to allow the Deletion of personal Data?
the requirements of the german Federal Data Protection act on data depend on the individual case. generally, data can be stored as long as a data protection justification exists. the time of deletion is linked to the principle of pur-pose: as soon as the purpose for which the data has been collected has been fulfilled or becomes null and void, the data needs to be deleted. the purpose mostly results from the contractual relationship. once this relationship has been terminated, the data needs to be permanently deleted. in the case of Big Data this means that, in theory, you need to separately specify for all data if and for how long
anD/or how long Can i store this Data?
22
whiCh teChniCal anD organisational
measures Do i neeD to take in orDer
to proteCt Data?
data is protected against access by unauthorised persons in the case of transfers (this can particularly be ensured through encoding);
the input and processing of data can be checked to iden-tify if and by whom these activities have been carried out,
in the case of commissioned data processing, proper selection and monitoring of the contractor and his activities takes place;
the data is protected against accidental damage (e.g. lightning strike, blackout, flooding, etc.);
it is ensured that data which has been collected for different purposes will also be processed separately;
employees who come into contact with the data of other persons are obliged to maintain data confidentiality. the general guidelines of the Federal Data Protection
act regarding the technical and organisational measures also apply to Big Data. Concerning the protection of data, section 9 of the Data Protection act requires that when handling data all necessary measures are to be taken to comply with the requirements of the Data Protection act. in detail, you need to ensure that
unauthorised persons have no (spatial) access to data processing installations;
unauthorised persons have no access to the processing of the data, i.e. cannot have an effect on the process (this can especially be ensured through encoding) – access control is particularly important in the context of Big Data; the individual data of the data pool is to be stored with limited access in such a way that each person authorised for the data pool can only view and process the data for which he is specifically authorised;
persons authorised for data processing only have access to the data for which they are authorised (this can particularly be ensured through encoding);
◊
◊
◊
◊
◊
◊
◊
◊
◊
inCluDing from internal Departments?
23
the current proposal is that the possibility of a subsequent change of purpose for the data collection (see question 6) is limited by the Regulation. the current draft of the european general Data Protection Regulation specifies that data may only be processed for a purpose other than that for which it was collected, if the person concerned has provided his consent or a contractual basis exists for this.
if data is not processed by the company itself, but is passed on to third parties for processing (so-called “commissioned data processing”), the client and contractor are jointly responsible for complying with the data protection requirements in pursuance of the european general Data Protection Regulation. according to current german law, only the client shall be liable with respect to the person concerned and shall monitor compliance with data pro-tection law by the contractor. the client’s stricter (joint) liability is also a problem within the framework of Big Data, but overall for the use of data for advertising purposes. Currently, it is not absolutely certain if the planned
euro-pean general Data Protection Regulation will materialise. if the (currently being drafted) general Data Protection Regulation in its current form (modified draft by the euro-pean Commission 25.01.2012 submitted by the euroeuro-pean Parliament on 12.03.2014) enters into force, there will be important changes regarding Big Data, including.
the general Data Protection Regulation defines more clearly than the current german law when personal data exists (see questions 4 and 5). identification numbers, locations or online iDs will only be classed as personal data when the data processing agency cannot prove that there is no reference to persons. with respect to an iP address, the rule is that this always constitutes a piece of personal data, if it has not been issued to a company.
as for questions regarding the processing of data for the company’s own business purposes, the interpretation of
