4

I have been trying to understand looking in internet how General Data Protection Regulation affects genealogical research and if there is any extra precaution that is required, however, no blog or site in internet I found is really describing properly the delta with the previous situation.

Is anybody knowledgable enough to provide and idea of the main precautions and the gap with the previous situation?

Trebia Project.
  • 475
  • 2
  • 10
  • 3
    I would suggest that you have a look at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - as this is the UK's Information Commissioner, other blogs or sites should be ignored if they contradict. The scope remains set at living people as I understand it. – AdrianB38 May 19 '18 at 16:08
  • 1
    It may be worth keeping an eye on The Legal Genealogist's take on GDPR: https://www.legalgenealogist.com/2018/05/20/the-casualties-of-gdpr/ and that of the Stack Exchange Network: https://meta.stackexchange.com/questions/310321/brace-yourselves-the-gdpr-is-coming – PolyGeo May 21 '18 at 00:51
  • https://stackoverflow.blog/2018/05/21/changes-to-our-privacy-and-data-policies/?cb=1 – PolyGeo May 21 '18 at 22:16

2 Answers2

2

Having looked into this for my genealogical society this is what we have found:

If you have any data that can identify a living EU citizen regardless of where they reside or any citizen from any country who resides in the EU then you must comply with the regulations. How this will be enforced outside the EU is not clear.

If you do have such data in any form electronic or written then you must have permission of that person to retain the data. They have the right to ask what data you hold on them and also if they ask you must delete the data. You must only use the data for the express purpose contained within the permission obtained by the person. You must ensure the data is secure and notify the person who gave permission if your security is breached.

There is a lot more to it than that but those are the major points as we understand them.

If you are at all concerned then you should seek professional legal advice.

Colin
  • 3,908
  • 1
  • 15
  • 17
  • Who is actually liable? The researcher that gathered the data or the website (i.e. MyHeritage, Ancestry, Geni...) that holds the data, do you know? – Trebia Project. May 20 '18 at 21:50
  • 1
    The person / entity storing the data, it is all about storage of the data. Therefore it could be both if the original researcher stores the data in written or electronic form they are just as liable as the websites you mention. – Colin May 21 '18 at 07:04
  • 1
    Surely it is the researcher as they are the controller of the data? The website provider knows nothing of the data. If the website provider's security messes up then the researcher may have a claim against the website but I reckon that's it. The above is based on logic based on what I've read at a basic level. – AdrianB38 May 21 '18 at 09:58
2

"The GDPR does not apply to certain activities including ... processing carried out by individuals purely for personal/household activities." A hobby such as genealogy counts as personal activities.

Tinkerbell
  • 21
  • 1
  • Do you have a source for this as I have yet to find a definition of personal/household activities? Once you publish the data online it cannot be for personal/household activities surely. – Colin May 23 '18 at 06:19
  • There is a discussion taking place on the Family Historian User Group which quotes some authoritative sources. See https://www.fhug.org.uk/forum/viewtopic.php?f=38&t=15935&p=85542&hilit=gdpr#p85542 – Tinkerbell May 23 '18 at 07:15