You can collect personal data in various way such as by user registration, having web forms, or tracking user statistics (by using Google Analytics, Optimizely Data Platform (ODP) or visitors groups and so on).
GDPR does not forbid you to collect data but it does require you to be very specific; you are allowed to collect data only for a specific purpose. Before collecting data, you need to carefully consider the following questions.
- Is it PII data you want to collect or is it anonymized data that cannot be traced back to an individual?
- Will you store this data in a database?
- Are you processing data within the European Union?
- Are the data subjects in question located in the European Union?
- Can you motivate the collection of data? That is, do you have a legal reason for doing so? For example, to fulfill a legal agreement with the data subject, to protect the interest of the data subject etc.
- Is the purpose clearly-defined and data will not be used for any other purpose? You are not allowed to collect data that "might be nice to have in the future."
- Is the collected data appropriate (that is, relevant and limited to) the purpose? For example, you cannot collect a phone number if the purpose is to sign up for email newsletters.
- Do you need to have consent for the collection of data and do you have a process for getting consent from the data subjects? In some cases, you need consent for collecting data, and in some cases you do not. See also Asking for consent.
- Is the PII data considered sensitive? That is, does it relate to the data subject’s sex, ethnicity, religious or political views and so on? Sensitive data is allowed for collection only under certain conditions; see article 9 of the regulation.
Updated 8 months ago