You are currently viewing Collection, Use, and Storage of Personal Data

Collection, Use, and Storage of Personal Data

  • Post category:Personal Data
  • Reading time:13 mins read

Any natural or legal person, either as a website visitor or as a data controller of the visitors, should be aware of the basic processing operations. We have gathered here all the necessary information regarding the collection, use and storage of personal data.

What will we touch on in this post?

Collecting personal data

Personal data can be collected only when there is a legitimate reason or purpose, which is connected to the services your company provides to the user.

Some legitimate reasons for processing are consent, public interest tasks etc. You can find out more in our article about personal data.

Your company should also keep its users informed about these purposes when it collects their data. It’s important to note that it shouldn’t collect data for unlimited purposes or keep them for longer than necessary.

Moreover, if your company collects more data than needed, unrelated to the legitimate purpose, it’s considered an infringement on the principle of purpose limitation.

According to this principle, the data must be processed for explicit and legitimate purposes and should not be further processed in a manner that is incompatible with those purposes.

For example, if a company offers car rental services to individuals, the necessary personal data it needs to collect in order to rent cars are the full name, address and credit card number of its customers.

In case it asks the customer to fill in data related to their religious beliefs or ethnic origin, it would infringe the principle of purpose limitation, as this data is not related to the purpose of the rental.

When are personal data collected?

  • By creating a profile or signing up to your company’s website
  • By signing up for its newsletter
  • By expressing a preference for certain products or services while browsing your company’s website
Screenshot of Google's Privacy Policy about collecting data
Google’s Privacy Policy

What information should be provided during the data collection?

When a user’s data is being collected, your company should provide them with the following information:

  1. Who your company or organisation is. More specifically, the contact details of your company and the data controller should be provided
  2. The purposes for which the collected data are processed
  3. The legitimate reasons  for the data processing
  4. The period for which the data will be stored
  5. The recipients of the personal data as well as anyone who will have access to them
  6. The possibility of transferring their data to a recipient outside the EU (check out also our article on data transfer to third countries)
  7. Their right to erasure, rectification, amendment-change and transfer of data, as well as their right to obtain a copy of their data (read more in our post about the rights of the data subject)
  8. Their right to lodge a complaint with a Data Protection Authority
  9. Their right to withdraw consent at any time

This information is provided to the data subject during the data processing in combination with standardised icons in order to give in an easily visible and clearly legible manner a meaningful overview of the intended processing. If the icons are presented electronically, they should be machine-readable.

When the data controller plans to process the personal data for a purpose different than that for which they were collected, the data subject should be informed prior to that processing.

Using personal data

It is only reasonable to wonder how the personal data collected by a company is used. There are many ways a company utilises its users’ data; some indicative examples are:

  • To improve the customer experience. More specifically, personal data allows the company to better understand and meet the needs and requirements of its customers by providing more appropriate and personalized services. Being able to analyse the preferences and general behaviour of the customers on the website, as well as to take into account their reviews, also allows the company to formulate a better quality as well as a more upgraded level in its services.

Not only do companies use consumer data to improve consumer experiences as a whole, but they also use data to make decisions on an individualized level

Brandon Chopp, digital manager for iHeartRaves

  • To develop an effective marketing strategy for the company. In other words, by observing the behaviour of its customers, the company can be more functional and adapt its marketing methods to its most efficient forms.

Like other aspects of consumer data analysis, marketing is becoming more about personalization

Brett Downes, Director at Haro Helpers

  • To secure data against theft and hacking into the user’s account. For example, banks often use voice recognition as a means of accessing the beneficiary’s bank account. The voice is also considered personal data and is used to protect the rest of the user’s data from illegal attempts to steal this information.

  • To complete orders for products and services and for product returns.

  • To send informative brochures about the various offers and new products/services of the company. Of course, it is possible to opt out of newsletters, i.e. the subject can choose not to receive any more newsletters from the company/organization.

  • To respond to requests sent by customers.
Screenshot of Twitter's Privacy Policy about the way the use information
How to respond to customer requests

For how long are personal data stored within the company?

As we mentioned earlier, personal data is stored by the controller for as long as necessary and for the purposes for which they are processed.

In other words, you must comply with the principle of storage limitation, according to which it must be ensured that the period of data storage is limited to the minimum period of time necessary to serve the purposes of the company/organisation.

Let’s take a look at an example…

Imagine your company/organisation has a recruitment agency and therefore collects the CVs of people who pay you in order to find employment.

So you keep these people’s data for 20 years and don’t bother updating the CVs at all.

The storage period does not seem proportionate for the purpose of finding a job for a person in the short to medium term.

Furthermore, the fact that you do not take action to update CVs at regular intervals makes some of the job searches problematic for the person, as they may have acquired new skills after a certain period of time.

Of course, for as long as they are stored by the data controller they should be accurate and secure, without the risk of alteration or loss. For this reason, the company must take various organisational and technical measures to protect and maintain its security (for more information, click the link to our article on organisational and technical measures).

Some places where personal data can be stored

  • Servers
  • E-mails
  • Computers (desktop and laptop)
  • BYOD
  • Cloud
  • Printed paper files
  • Backup storage disks
  • USB flash drivers

Author

Eleni-Kostakoglou
Eleni Kostakoglou
Lawyer