How should we respond to GDPR requests?
You may wish to take reference from the policy of Open Corporates, which has clearly analysed its rights to maintain a public archive under GDPR:
https://opencorporates.com/info/public_records_privacy_policy
Our grounds for processing personal information
We collect, store, use and make personal information available in
order to further our public interest mission – namely to maintain an
accessible record of company data. We rely on Article 89 of the GDPR
which covers archiving purposes in the public interest.
In the vast majority of cases, the personal information we collect
will also have been made public by the data subject themselves through
the submission of such information to a public register.
Companies House publishes records by law, not by consent of the subject. When a person chooses to become a company director, LLP partner or secretary, then the quid pro quo for limited liability, as determined by legislators through legislation, is transparency.
The fact that a person was a director of a company may be relevant to another person long into the future, if the second person is dealing with the first person in a subsequent business as a director, shareholder, creditor, supplier, customer, employer or employee etc. For example, a person may have been a director in a string of corporate bankruptcies or liquidations. Also, once the former director dies (as we all do), it ceases to be personal data anyway. Furthermore, a company which survives for say 50 years after a director resigns would still show his directorship record at Companies House. So why should records of directorships of dissolved companies be removed from view by those who collected them?
Which licence is that? Perhaps you have some special contract with CH to republish everything?
For those who simply use the API as open data, they have no obligation to republish the entire dataset, so I am not sure what you mean by “removing these data would result in a breach of the agreement”. Can you post a link to the agreement you are referring to?
By the way - when you ask a lawyer on almost any matter like this, if they are not sure of their legal analysis, then the answer is always “no”. They don’t want to be on the hook for having advised you that something is legal. Refer them to GDPR Article 89. This article might also be of interest:
Companies House collects data and makes it publicly available under statute. The registrar has a legal obligation to make information available, and can therefore rely on an exemption from much of the GDPR. Consumers of our data, who purchase or obtain our data in bulk format, making it separately available, become controllers in their own right. It is for these controllers to establish their own GDPR compliance, and to consider the legal basis on which they are relying to make data available.
This is also emphasised in our Personal information charter, with the specific extract as follows
Commercial organisations sometimes use data from the register to create their own online products. These organisations then become controllers of your personal data. These organisations must establish how they comply with the data protection law as set out in the GDPR. If you have any concerns about company data on third party products and websites, please contact the organisation directly. We’re not able to advise other organisations on GDPR compliance, and we cannot advise you on whether other organisations are complying with the law.
Thanks,
1 Like