Personal data in public sources

Information about people can be stored in public sources. This means that everyone can view the information. For example on the Internet, on social media or in registers. People often also publish that data themselves. Doing so does not mean that others can simply use that data for anything. Even though the data is public. On this page you can read what is and is not allowed with data in public sources.

On this page

Personal data in public sources

Placing personal data in open sources, such as public Internet pages, is deemed processing of personal data. This means that the General Data Protection Regulation (GDPR) applies. And therefore you need a basis for the processing operation. However, the GDPR does not apply if personal data is processed for personal or domestic use.


Information about yourself
 

Do you intend to place your own personal data in open sources? In that case you don’t need a basis to do so. This is because it is your data and you can decide what happens to it.


Data from another person
 

Do you intend to place personal data of others in open sources? In that case you do need a basis.  You must also have a specific and legitimate purpose to do so. You need to determine for yourself:
•    what purpose that is;
•    whether you have a basis for this;
•    whether you meet the other requirements of the GDPR.
You need to do this before posting the data. This way you avoid breaching the GDPR.
Special or criminal data
A processing ban applies to the processing of special categories of personal data or criminal data. You may only process this data of others if an exception applies to this prohibition. You must determine for yourself whether the data of others that you want to place in public sources comes under this prohibition. And whether you can claim an exception to this.


Collecting and (re)processing personal data for yourself
 

Personal data lawfully placed in an open source (according to GDPR rules) may be used for for personal or domestic purposes. You must therefore use the data exclusively for private purposes. This therefore does not include professional or commercial purposes. And you cannot share the data with others,
or only with a limited group of people, such as your family members or friends. For example, for a birthday calendar or a personal address book, or to pass on a telephone number of a family member to another family member. In these cases, the GDPR does not apply.


Collecting and (re)processing personal data for another purpose
 

Information about a person can be held in an open source lawfully. And therefore be accessible and viewable for everyone. However, that does not mean that you can use that data for anything. You may not simply reprocess the data. Whether the provision of personal data is permitted varies per situation.


Consent is often not a basis for reprocessing
 

Personal data may be processed again if the data subject has given specific permission to do so. The fact that data is held in an open source does not mean that you automatically have permission to reprocess the data. For example, if you want to include the data in all kinds of files. You only have permission to view the data in a public source.


Identify risks in advance
 

The fact that personal data can be found in open sources, or has even been placed there by the data subject, is therefore not a license to reprocess the data. For each new processing operation, you must check whether you are required to carry out a Data Protection Impact Assessment (DPIA).
A DPIA is an instrument for identifying the privacy risks of a data processing operation in advance. And for subsequently taking measures to mitigate those risks. Even if carrying out a DPIA is not mandatory, it is advisable to do so anyway.


Automatic data collection


Organisations that automatically search the entire Internet and retrieve as much personal data as possible are processing personal data. They too must therefore comply with the GDPR. For example, they must be able to demonstrate that there is a basis for the processing operation. And that they meet the requirements of data minimisation and necessity.


Reprocessing special or criminal data
 

A processing ban applies to the processing of special or criminal law data. This means that you may view special and criminal personal data lawfully placed on the Internet, but that you may not process them again. Unless, in addition to a basis, a a ground for exception applies as well.