G 0.38 Misuse of Personal Data

Personal data is almost always information that deserves special protection. Typical examples are details about the personal or factual circumstances of a specific or identifiable natural person. If the protection of personal data is not sufficiently ensured, there is a risk that the affected persons are compromised in their social position or in their economic circumstances.

Misuse of personal data can occur, for example, when an institution collects too much personal data, has collected it without legal basis or consent, uses it for a purpose other than that which was permissible at the time of collection, deletes personal data too late, or passes it on without authorization.

Examples:

• Personal data may only be processed for the purpose for which it was collected or first stored. It is therefore impermissible to use log files in which the login and logout of users on IT systems is recorded solely for access control purposes for attendance and behavior monitoring.
• People who have access to personal data could pass it on without authorization. For example, staff at a hotel reception could sell guest registration data to advertising firms.