Personal data can be collected in different ways, for example, by user registration, having web forms, or tracking user statistics (by using Google Analytics, Episerver Profile Store or visitors groups etc).
GDPR does not forbid you to collect data but it does require you to be very specific; you are only allowed to collect data for a specific purpose. Before collecting any data, you need to carefully consider this.
- Is it PII data you want to collect or is it anonymized data that cannot be traced back to an individual?
- Will you store this data in a database?
- Are you processing data within the European Union?
- Are the data subjects in question located in the European Union?
- Can you motivate the collection of data, that is, do you have a legal reason for doing so? For example, to fulfil a legal agreement with the data subject, to protect the interest of the data subject etc.
- Is the purpose clearly-defined and data will not be used for any other purpose? You are not allowed to collect data that might be nice to have in the future.
- Is the collected data appropriate (that is, relevant and limited to) the purpose? You cannot collect, for example, phone number if the purpose is to sign up for email newsletters.
- Do you need to have consent for the collection of data and do you have a process for getting consent from the data subjects? In some cases, you need consent for collecting data, and in some cases you don’t. See also Asking for consent.
- Is the PII data considered sensitive, that is, does it relate to the data subject’s sex, ethnicity, religious or political views etc.? Sensitive data is only allowed for collection under certain conditions, see article 9 of the regulation.
Last updated: Jun 19, 2018