4

Some web services will notify the user if the account name they are entering exists or not. However, I am wondering if this would be legal? For example, if someone entered the email address of someone in the E.U., you would inadvertently be leaking their personal data by saying whether or not they use the service.

The GDPR even places restrictions on what personal data you can store. This seems to imply that you would need consent to store whether or not someone uses your service. It is easy enough to get consent to store who is using it, but how to get consent from every EU citizen who doesn't use your service? After all, according to the GDPR, personal data are "any information which are related to an identified or identifiable natural person." If someone does not use the service, it is pretty easy to identify that fact by looking at the user database.

So, would revealing or storing whether or not an EU citizen uses your service constitute a GDPR violation?

Christopher King
  • 1,754
  • 3
  • 16
  • 21

1 Answers1

1

Revealing whether an EU citizen used a service could certainly be considered a data breach under the terms of GDPR, but that's not what's happening here.

The service provider would be checking whether a particular string of characters had appeared before as an account name. This wouldn't have to be a name, an e-mail address, or anything else directly associated with a Natural Person.

There might be some risk to a person who intentionally entered another Natural Person's Personal Data in an attempt to discover whether they had used that name to register for a specific service - and certainly if they were to reveal this to others - but this would be an action of the third party, and not something the service provider had done.

It's worth mentioning that consent is not the only lawful basis for processing. In this case "to fulfill contractual obligations with a data subject" would seem to cover checking that a particular string of characters was not duplicated as an account name.

ItWasLikeThatWhenIGotHere
  • 2,718
  • 11
  • 14