Is It Legal to Sell Data Under the GDPR?
The GDPR protects European citizens data rights through privacy laws, which impacts a company's ability to sell their data. Our article breaks down the law.
The General Data Protection Regulation (GDPR) came into effect in May 2018. However, many still fail to understand the different regulations and rules it contains. Particularly misunderstood is the law around being able to sell data. Below, we break down the legality of selling data under the GDPR, and how it can affect you.
What is the GDPR?
The GDPR is a European law on data protection and privacy for citizens of the European Union. However, it also affects all businesses that have dealings in Europe. Even if the business is not a European one, if it does significant business or has a base there, the laws will apply.
Under the GDPR, it’s necessary to protect your consumer’s data. Any company found negligent in this area may be penalised.
What data would be sold?
A common example of the data that may be sold is customer data. This is valuable as customers may be interested in accessing that client database to expand their business, or to learn further information.
However, customer data applies under ‘personal data’ for the purposes of the GDPR. This article explains in-depth the effect of personal data as regulated by the GDPR.
Is it legal to sell data?
It can be legal to sell your data under the GDPR. However, it depends on the context. Specifically, it depends on who you sell the data to and why. Below, we outline reasons that it may be illegal to sell data.
The data you sell can’t be sold to potentially discriminate someone based on their data. It cannot identify someone to punish them. If this is likely to occur, it is illegal to sell the data.
This considers how secure the data will be once sold. Officially, to be compliant with the GDPR the data must be secure. This includes from other businesses, people and even the government. This applies to companies with European Union Citizen Data.
The right to erase
The GDPR outlines that users must have the right to request their data gets removed. Who you sell the data to must be able to erase this data immediately upon request. As the seller, you must be aware of your purchaser’s intentions. Accordingly, if you’re aware they’re not going to allow the right to erase, it will be illegal to sell to that company.
Kyle worked in the content team as a legal intern for Lawpath. He is undertaking a Bachelor of Laws with a Bachelor of Psychology (Honours) at Macquarie University.