GDPR issues for an online BMI calculator...

Myuser01

Registered User
Messages
23
Creating an online BMI calculator that'll store details like email, height, current weight, goal weight, age, sex on a server.

What exactly are my GDPR/Legal obligations with regards to this information? The idea is that the user receives a BMI reading from their details along with a spamspamspamspam plan.

I will of course have the user tick a box to receive marketing messages. They'll be able to unsubscribe and will have access to a privacy policy and terms of service for the site.

thanks,
 

24601

Frequent Poster
Messages
269
Creating an online BMI calculator that'll store details like email, height, current weight, goal weight, age, sex on a server.

What exactly are my GDPR/Legal obligations with regards to this information? The idea is that the user receives a BMI reading from their details along with a spamspamspamspam plan.

I will of course have the user tick a box to receive marketing messages. They'll be able to unsubscribe and will have access to a privacy policy and terms of service for the site.

thanks,

What you're proposing includes the collection and processing health data and would therefore fall under the requirements governing "special category" data under GDPR. There are lots of requirements relating to the processing of such data. The UK's ICO generally has very good and easy to understand information in relation to GDPR. I would recommend giving this a read. This probably won't give you much detail on the technical aspects of safeguarding the information though so you'll have to look at how the information will be stored on the server, who has access, how it will be protected (passwords, firewalls, physical infrastructure, standard of encryption) )how long it is kept for, where is is backed up etc. This would all have to be summarised in the privacy statement with specifics for the data that relates to health.
 

Jim2007

Frequent Poster
Messages
2,212
Beyond the email address of an opt in marketing request, you should not store anything else. There is no need to do so and you have no justification for retaining it.
 

SPC100

Frequent Poster
Messages
729
Not sure if this helps for gdpr but What about storing email only on server and put others in a client side cookie.

Worst case occasionally your customers have to answer the same question.
 

PatrickSmithUS

Registered User
Messages
115
You main checklist items are included here. As long as you everything safe, allow data subjects access to it and set a limit on the retention of the data you should be ok.
 

RedOnion

Frequent Poster
Messages
5,257
You main checklist items are included here. As long as you everything safe, allow data subjects access to it and set a limit on the retention of the data you should be ok.
You've obviously determined that none of the data mentioned is classed as sensitive personal data before giving that advice?
 

PatrickSmithUS

Registered User
Messages
115
You've obviously determined that none of the data mentioned is classed as sensitive personal data before giving that advice?

You'll be grand with any kind of sensitive data if you have everything safe and have your consent and retention policies fully compliant. Talk to a cybersecurity firm if you've big worries about it but, from my amateur outlook, that would be sufficient.
 

RedOnion

Frequent Poster
Messages
5,257
You'll be grand with any kind of sensitive data
So long as you have explicit consent, and the collection / processing of the data is necessary to fulfill your obligations, etc...

The processing of sensitive data is prohibited under GDPR except is specific circumstances.

These things are always 'grand' until they're not.
 

DeeKie

Frequent Poster
Messages
691
You need to do a DPIA before doing this as you are going to process special category data.
 

PatrickSmithUS

Registered User
Messages
115
So long as you have explicit consent, and the collection / processing of the data is necessary to fulfill your obligations, etc...

The processing of sensitive data is prohibited under GDPR except is specific circumstances.

These things are always 'grand' until they're not.
Most of the 'specific circumstances' that you allude to are exactly what I mentioned.
 

RedOnion

Frequent Poster
Messages
5,257
Most of the 'specific circumstances' that you allude to are exactly what I mentioned.
It wasn't very clear to me in your post.
Your advice in summary is it's all perfectly legal, so long as what you're doing is legal?

You provided a link that only mentions that you should check if article 9 applies. Not what it means. That's exactly the kind of data we're talking about here.
 
Last edited:

PatrickSmithUS

Registered User
Messages
115
It wasn't very clear to me in your post.
Your advice in summary is it's all perfectly legal, so long as what you're doing is legal?

You provided a link that only mentions that you should check if article 9 applies. Not what it means. That's exactly the kind of data we're talking about here.

I said it should be ok if you've have the proper cybersecurioty measures and authorization in place. There would be a requirement for having a sound legal basis for processing it as well - so you would need to establish that also.
 

PatrickSmithUS

Registered User
Messages
115
You have to laugh though, fairness that a regional German data protection authority fines a computer retailer €10.4m for using CCTV to monitor staff but we decided to fine Twitter €300k for not adhering to breach reporting requirements.

There's a massive WhatsApp fine coming at least due to a requirement for collaboration with other EU data protection authorities on cross-border breaches. That might be a welcome addition to the state balance sheet for the post COVID recession.
 

Leo

Moderator
Messages
12,162
ou have to laugh though, fairness that a regional German data protection authority fines a computer retailer €10.4m for using CCTV to monitor staff but we decided to fine Twitter €300k for not adhering to breach reporting requirements.

Would that not some way reflect a deliberate and massive invasion of privacy versus an administrative error? Severe penalties around disclosure failings will lead to more companies hiding breaches.
 
Top