Fråga: How can we collect and share personal data with third parties?
We're an app startup with the opportunity to work with a group of football clubs. In our app, users select which club they are supporters of and we would like to share user information with the selected club. The question is what type of information we're allowed to share and how to get consent from users. We're working with users both over and under the age of 13 years old and it would be okay if only 13+ user data can be shared (ideally we would like to share data on users under 13 if this is possible for instance by getting parental consent). Here's two examples of the type of user data we would like to share with these clubs: EXAMPLE A - data on specific users: • Email address • Location: Germany • Age: 15 years old • General app usage (activity). EXAMPLE B - aggregated data: • 1000 users selected your club. • 30% of these users are younger than 13 years old. • 70% are older than 13. • 50% engaged with some of your content related to football drills. • 5000 users selected your rival club. In any case I would expect to clearly state the use and 3rd party access to the user data in our Terms of Services which all users agree to as part of our signup process. Thank you very much.
Legalbuddy svarar

Thank you for reaching out to LegalBuddy. I’ll start by mentioning the relevant regulations that apply and thereafter give advice based on your situation.


Legislation on personal data collection

The General Data Protection Regulation (GDPR) applies to all automated processing of personal data of natural persons with connection to the EU. Note that there might be further national regulations that apply in conjunction with GDPR, as it is encouraged in art. 40 GDPR. The definition of personal data is broad as it includes direct and indirect information relating to a natural person, art. 4 GDPR. However, if the data is made anonymous, it is not considered personal anymore and the right to data protection is not applicable anymore.

 

The company is ultimately liable for adhering to the regulations and it is helpful to be mindful of the lifecycle of personal data to better comply with GDPR; the collection, management and deletion of personal data. Furthermore, the accountability principle provided for in art. 5 GDPR requires that a data controller must be able to demonstrate its compliance with the GDPR.


What data can be collected?

The principles in art. 5 GDPR states that there should be a narrow and clear purpose before the data collections occurs. The company is responsible to be lawful, open and correct, as well as treating the data with confidentiality. It is also important to not collect more data nor store it more than necessary. The processing of data is lawful only if at least one of the conditions in art. 6 GDPR can be applied.

 

Consent or legitimate interests are commonly used by companies. Note that legitimate interests give the company flexibility as long as the company can thoroughly justify these legitimate interests, as the data subject should be able to reasonably expect their data to be used in that way. For a consent to be valid, it must constitute a voluntary, specific, informed and unambiguous expression of will, through which the data subject agrees to the processing of personal data concerning him or her. In the provision of a service, consent is not freely given if the processing of personal data that is not necessary for the performance of that contract or service is required. An assessment of if the data is necessary must therefore be made.

 

In Example A above, the data is personal and the principles in art. 5 GDPR must be followed. E-mail addresses are usually considered personal data in themselves since they oftentimes contain the name of the data subject. The user’s activity and the location can also be personal data if it makes the data subject identifiable.

 

With regards to the aggregated data in Example B, the personal data has been anonymized and are impossible to trace back and/or identify the individual data subjects behind it. To collect and manage this data, you are still required to have a legal condition to process the data, art. 6 GDPR.

 

Data collection when the data subject is a child

There is an age limit given to objectively decide when a child has matured enough to be able to consent to data collection. For minors living in Sweden, the age from which they can consent without a guardian’s approval or consent is 13 years, 2 kap. 4 § lagen (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning. This may differ depending on which country the minors are living in, art. 8.2 GDPR.

 

Note that in the preamble nr 38, 58 and 65 GDPR, which are not formally binding but help to interpret the articles in the regulation, it is stressed that children require specific protection and therefore should be addressed in a way that is easily understood by children.

 

Data transfers to third parties

Under the GDPR, sharing personal data with third parties is possible as long as it is compatible with the purposes for which the data was originally collected, provided however that the data is not subject to statutory or contractual obligation of confidentiality. Furthermore, any transfer of personal data to third parties must be transparent to the data subject and should be clearly described in the information provided under art. 13 and 14 GDPR (on a side note, please note that information under art. 13 and 14 - normally provided by a “privacy notice” - should not be provided as a part of general terms of services but as a stand-alone piece of information). 


Conclusion

In conclusion, you should be able to share personal data with the football clubs as long as you make sure that such sharing is compatible with the purposes for which the data was collected and that the data sharing is transparent to the app users. As you will be addressing younger people, it is important that your privacy notices are crystal clear and adjusted also to the target audience. Hopefully, the information above gave some clarity to your case. If more questions arise, you are welcome to contact us for more legal advice. 

Kickstarta ditt GDPR-arbete med ett fastpris-paket med viktiga dokument och rådgivning.

Få hjälp med ett GDPR-säkrat biträdesavtal för personuppgifter till fast pris

Kommentarer
Kasper Skov · 19 apr, 2021

Thank you so much for the detailed answer. Very very helpful and I will definitely recommend LegalBuddy and use it myself for future needs. Thank you


Få hjälp med ett GDPR-säkrat biträdesavtal för personuppgifter till fast pris

Friendly image

Behöver du juridiska muskler i din verksamhet?

Testa vår digitala bolagsjurist gratis i 1 månad
- Juridiskt stöd och avtalshantering för företag

Ställ en fråga inom alla affärsjuridiska rättsområden.

Du får en utredning från våra jurister inom 5 arbetsdagar, helt gratis!

Skriv frågan