A while ago, we noticed that a Freshdesk account was automatically created for an external supplier that had been CC'd in a ticket by a customer. The account creation was triggered by his e-mail response. After reading stop account auto creation and reaching out to Freshdesk support, I have concluded that this is expected behavior by design.
However, I'm wondering, is automatically storing personal data (name and e-mail) for a customer's external supplier GDPR compliant?
If I look at the legal text found in the EU journal, chapter II, article 5, six possible grounds for lawfully processing personal data are listed, of which at least one should apply. To summarise:
- The subject has given consent
- Processing is necessary for performing a contract
- Processing is necessary to comply with legal obligations
- Processing is necessary to protect vital interests
- Processing is necessary to carry out a task in public interest
- Processing is necessary for the legitimite interest of the controller or a 3rd party
I'm not sure which of these points would apply when automatically storing data of an external supplier.
- We do have a contract with the customer. The external supplier is not a party in this. Point two does not seem to apply.
- The external supplier has not given consent. Consent should also be stored in a way that can be reproduced.
- Checking if any of these points apply seems difficult if the personal data has already been automatically stored. The “damage” has already been done, checking lawfulness can only be done afterwards.
I was wondering what your thoughts are on this?