I'm currently working on implementing GDPR practices and I've run into an interesting situation with my data and legal colleagues located in Russia.
My colleagues insists that if we obtained their data from an "open source" third-party, they have consented to us using their data by giving their data to that third party. For example, if someone submits their data to a directory or a tradeshow, we are free to use their data from the tradeshow. An example he gave was Facebook giving user data to third-parties. His justification is that the legal team has told him this is okay but somehow I am not entirely trusting of the legal team's judgement on this as I have not personally spoken with them.
I had a lot of issues with this and I wanted to get input and verification on my arguments from anyone else who would have expertise. Please let me know if this all makes sense. Here are my issues:
- Proving consent - How would we prove we have their consent with data such as opt-in date and IP if their agreement is not with us?
- Terms of consent - unless we have the GDPR acceptance terms from every single repository that we got data from, how can we be sure that they have consented for their data to be transferred for use by a third-party?
- According to definition for approved Third Countries US entities receiving data must be a part of privacy shield, which I don't believe we are which will lead to these derogations that must be met
- Guidelines on data obtained from somewhere other than the subject (Art. 14 GDPR) requires specific actions to be taken which we have not taken (Additional information on this)
I feel like this is pretty compelling evidence that the situation he's indicated is NOT GDPR compliant, but I want to be sure. Thanks in advance for any input.