Data brokers and data subject rights

Well I’ve been working hands-on with data subject rights for almost two years now and an area which is still grey, is when it comes to data brokers.

If the data broker has scraped public sites for personal data is one aspect. Personal data has been shared by you and I in LinkedIn, Facebook, etc., a data broker can extract and use, after all it is public data.

The other is, as is the case in Sweden when personal data becomes public data but not at the bequest of the data subject. Still the data brokers are there scraping sites e.g.,, all legal due to something called an utgivningsbevis issues in the name of freedom of speech. If you want some background on this, I’ve written loads!

One of the challenges that a lot of businesses are purchasing personal data from data brokers as part of their sales activities. Then requests for access to personal data (Art 15), or to be forgotten (Art 17) come pouring in from individuals who want to know why sales personnel are contacting them when they did not opt-in, saying that it’s not compliant with GDPR.

Well the fact is, there is nothing illegal in this activity as it stands today. Once you make your personal data public you lose some rights. Of course in Sweden it is more complex as individuals have not requested their data to be public, it is like this as a default.

Now often the data subject will ask to be deleted, and does not want to be contacted again, but it is not so simple. If the organisation purchases regularly data from data brokers, deleting the data won’t solve the problem, their name needs to be added to an ‘opt-out’ list. Which means processing additional data. If not, their name will pop-up again, because you see the problem is three-fold:

(1) data is public, whether this is knowingly or not,

(2) there is no mechanism to enable the individual to place themselves on an opt-out list centrally which is accessible to all data brokers, hence

(3) data brokers do not clean, and this means that each organisation purchasing personal data need to have their own opt-out lists.

What complicates the matter further is that the GDPR requires that in order to respond to data subject requests their identity needs to be verified, although Article 11 does say that additional data should not need to be collected in order to verify identity, to be compliant with GDPR.

So where does that leave us when it comes to requests from data subjects who did not ask to be contacted by our sales agents? In short, best to add them to an opt-out list and delete their data, so long as they have never been a customer, have never been employee, etc. If they persist on exercising their rights as per Article 15, request identity which is permitted in Article 11.

Although how do you explain to them why you need to add them to a list? It seems a strange workaround, to something which clearly is not working optimally today.