Hello, A while ago, we noticed that a Freshdesk account was automatically created for an external supplier that had been CC'd in a ticket by a customer. The account creation was triggered by his e-mail response. After reading stop account auto creation and reaching out to Freshdesk support, I have concluded that this is expected behavior by design.However, I'm wondering, is automatically storing personal data (name and e-mail) for a customer's external supplier GDPR compliant?If I look at the legal text found in the EU journal, chapter II, article 5, six possible grounds for lawfully processing personal data are listed, of which at least one should apply. To summarise: The subject has given consent Processing is necessary for performing a contract Processing is necessary to comply with legal obligations Processing is necessary to protect vital interests Processing is necessary to carry out a task in public interest Processing is necessary for the legitimite interest of the controller or a 3rd partyI'm not sure which of these points would apply when automatically storing data of an external supplier.We do have a contract with the customer. The external supplier is not a party in this. Point two does not seem to apply. The external supplier has not given consent. Consent should also be stored in a way that can be reproduced. Checking if any of these points apply seems difficult if the personal data has already been automatically stored. The “damage” has already been done, checking lawfulness can only be done afterwards.I was wondering what your thoughts are on this? Best regards, Huib

Automatic account creation and GDPR compliancy

Hello,

A while ago, we noticed that a Freshdesk account was automatically created for an external supplier that had been CC'd in a ticket by a customer. The account creation was triggered by his e-mail response. After reading stop account auto creation and reaching out to Freshdesk support, I have concluded that this is expected behavior by design.

However, I'm wondering, is automatically storing personal data (name and e-mail) for a customer's external supplier GDPR compliant?

If I look at the legal text found in the EU journal, chapter II, article 5, six possible grounds for lawfully processing personal data are listed, of which at least one should apply. To summarise:

The subject has given consent
Processing is necessary for performing a contract
Processing is necessary to comply with legal obligations
Processing is necessary to protect vital interests
Processing is necessary to carry out a task in public interest
Processing is necessary for the legitimite interest of the controller or a 3rd party

I'm not sure which of these points would apply when automatically storing data of an external supplier.

We do have a contract with the customer. The external supplier is not a party in this. Point two does not seem to apply.
The external supplier has not given consent. Consent should also be stored in a way that can be reproduced.
Checking if any of these points apply seems difficult if the personal data has already been automatically stored. The “damage” has already been done, checking lawfulness can only be done afterwards.

I was wondering what your thoughts are on this?

Best regards,

Huib

Join the Community or User Group to Participate in this Discussion

Reply

Join the Community

Social Login

Sign in to the Community

Social Login

Scanning file for viruses.

This file cannot be downloaded