Difference between Publicly Sourced Data and Data Publicly Disclosed by the Data Subject

Difference between Publicly Sourced Data and Data Publicly Disclosed

The inclusion of a regulation for data obtained from Public Sources was left behind with the previous Directive 95/46 and the LOPD 15/1999. Therefore, the first thing to clarify is that the General Data Protection Regulation (GDPR) does not define what public sources are, and consequently there is no exception or general rule for them.

However, it is obvious that although the GDPR does not contain a definition of what data held in publicly accessible sources are, they are personal data that are accessible to everyone.

On the other hand, personal data that are manifestly public are those which have been disclosed by the very data subject.

An important concept in data protection must come into play here, which is the concept of "legitimate expectation", because it is clear that whoever makes his own data publicly known, cannot expect it to remain private.

Interestingly, the Council of State of Spain ruled on this matter by saying that whoever manifestly publishes his own personal data must bear the consequences of his(her) actions.

Furthermore, Article 9(1) of the GDPR itself establishes as an exception to the prohibition to process sensitive data, (a higher category than simple personal data, whose grounds for legitimacy are provided by Article 6 of the GDPR), by providing that sensitve data can be processed in case that the data subject has manifestly made them public, (GDPR art.9.2.e).

Thus, the most important legal consequence of this difference between data held in publicly accessible sources and data that the data subject has made manifestly public (note that it is the data subject who must have made them public, and not any other person, in order to "neutralize" the prohibition of the sensitive data processing), is that data held in public sources, no matter how much public those sources may be, are still subject to Articles 6 and 9 of the GDPR, while the processing of data that have been made manifestly public by the data subject, already have their own exception to legitimize their processing. The consequence, consent from the data subject is not necessary for the data processing.

However, it is somewhat surprising that the GDPR includes among the exceptions to the need for consent sensitive data that have been manifestly made public by the data subject, by way of Article 9, and yet says nothing in Article 6 with respect to non-sensitive data, when one would expect just the opposite.

Consequently, although it may be debatable, it should be understood that the same exception also applies to non-sensitive data, since, after all, it is a general principle of law that "he who can do the most can also do the least".

Remember that if you need it, we can advise you to make this process as fast and effective as possible. Just contact us, (diterno@proemabogados.com), and we will get to work.

David Tierno García

Attorney at Law