Featured in JEP’s Expert Panel – 21st February 2018
A:
You should always ask, “who owns the personal data?” The answer is, “The data subjects [i.e. each person on the list]”. Then taking the view of the data subject, they would correctly ask, why do you have their personal data, where did you get it from, what are you doing with it, how long are you keeping it and what lawful basis do you have to receive it and to use it. One would be concerned the third party has already committed a data breach by giving this data to you, outside of any business relationship agreed directly by each data subject and involving you.
Under A14 of GDPR, you have one month to meet the legal communication requirements to each data subject, effectively answering all the questions above and identifying yourself as potentially the new Data Controller. You must inform the data subject of these answers at the first opportunity and before you make any use their data.
GDPR has this important provision in law so you, the Data Controller, must meet the statutory requirements of ensuring lawful, fair and transparent processing of personal data which is a fundamental principle of GDPR. Breaching these core principles will expose you to the higher tier of fines by the new Data Protection Authority, after 25 May 2018.
If you are not going to follow the requirements of A14 of the GDPR law, then delete or destroy the data in a secure and confidential manner, as there is no lawful reason for you to retain it or use it. You may need to prove this too, if challenged.