Are connecting organizations able to make a copy of my data? In which case my data is out of my control.


So if I decide to stop sharing my personal data, how can I be certain that a connecting organization will respect my decision and delete all copies of my data? including any new data derived from my personal data.

Is there any technical/legal safeguard regarding copied data and derived data?



Wed, 06/07/2016 - 03:44



More Details

Hi cyborg, thanks for your question. The answer is multi part:

  • Under the Trust Framework and, within that, the data sharing agreement that is in place between you and the connected organisation, the legal basis of consent is enshrined in contract law above and beyond the Data Protection Act. The connecting organisation — as part of their terms of connection — acknowledge and accepts that all data is shared under a data sharing agreement and that once that consent is removed, they have no legal rights to onward use of the data.
  • Unlike the DPA, where any misuse by an organisation is handled via a complaints process, the data sharing agreement under contract law allows for an individual to take direct action against an organisation in breach of their contract.
  • Notwithstanding this fact, the individual will also be in breach of the terms of connection which could lead them being unable to use the platform with any of their connected customers once a breach is established.
  • The goal of the Mydex Platform is to empower individuals to be active participants and take action directly where they have concerns. Any member should however realise that many organisations have a regulatory obligation to retain data for compliance purposes as evidence of transactions, so may quite legally retain a copy for audit and regulatory purposes.
  • The technical means of removing every last copy of personal data held by an organisation automatically is not available and it is only privacy by design and solutions offered by Mydex that provide the evidence and means of taking action directly if a case of misuse is suspected.
  • The emerging General Data Protection Regulation will further extend consumer rights in this area. For this reason, we are seeing that the area of Consent as a Service, with full audit capability, is increasingly considered an essential person-centred service.
MydexCIC's picture
Wed, 13/07/2016 - 16:23