GDPR Mythbuster Month – Part 2

It’s our favorite spooky time of the year and you know what that means! It’s time to bust some GDPR myths!

You can also follow the series on our Instagram


Myth #1 GDPR won’t apply to the UK because of Brexit


The GDPR is designed to regulate how organisations process and control the personal data of EU citizens, regardless of where they are located. Moreover the UK has a law in place (Data Protection Act) which basically covers everything the GDPR does. The relationship between the UK and the European Union after the Brexit is still uncertain. Various models of cooperation have been highlighted such as the Norwegian, Swiss or Turkish models. Only the Norwegian model, which implies that the UK would remain a member of the European Economic Area would allow free flow of data between the European Union and the UK. Unless such an agreement is reached, the UK will become a “third country” under the GDPR.

Myth #2 When relying on consent to process personal data, consent must be explicit

The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent,meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.  Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. But for non-sensitive data, “unambiguous” consent will do.

Myth #3 Biometric data is sensitive data under the GDPR

You can be forgiven for thinking this. Biometric data can be sensitive data under the GDPR – but only if used for the purpose of “uniquely identifying” someone (Art. 9(1)). A bunch of photographs uploaded onto a cloud service would not be considered sensitive data, for example, unless used for identification purposes – think, for instance, of airport security barriers that recognize you from your passport photograph.

Myth #4 Individuals have an absolute right to be forgotten

he GDPR refers to the ‘right to be forgotten’ as the ‘right of erasure’ (Art. 17).  However, unlike the right to opt-out of direct marketing, it’s not an absolute right, it only arises in quite a narrow set of circumstances notably where the controller has no legal ground for processing the information. Organizations may continue to process data if the data remains necessary for the purposes for which it was originally collected, and the organization still has a legal ground for processing the data under Art. 6.

Myth #5 Every business will be subject to new data portability rules 

Data portability requirements are mandated only when processing is based on consent or contractual necessity (Art 20(1)). It does not apply when, for example, processing is based on legitimate interests. This is an important strategic point for businesses to consider when deciding upon the lawful grounds on which they will process personal data.



MetaCompliancefieldfisher / Lexoo / EUGDPR

Leave a Reply

Your email address will not be published.