How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site. Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Alex J. Your Own Question
Alex J.
Alex J., Solicitor
Category: Law
Satisfied Customers: 3844
Experience:  Solicitors 2 years plus PQE
Type Your Law Question Here...
Alex J. is online now

Data Protection Directorate question: We build and manage

Customer Question

Data Protection Directorate question:
We build and manage online surveys for clients. The respondents provide 360° feedback on other workers (with their permission) and their answers are grouped and non attributable to protect confidentiality of the respondent. We have just been asked by one client to identify the input of each respondent so that the two most senior people in the organisation can view this. We are reluctant to go down this route for a number of reasons even though the client has promised us and put in writing that everyone will be briefed and will have acquiesced to this variation in our standard process.
I am uncomfortable with this and want to make sure that we as the supplier of the service are not breaking any laws and doing everything reasonable to uphold both the fact and the spirit of the directorate.
I would like to be able to quote the client any elements of the directorate that are applicable in this situation.
Submitted: 1 year ago.
Category: Law
Expert:  Jamie-Law replied 1 year ago.

Hello my name is ***** ***** I will help you with this.

What is it you want to achieve please?

Customer: replied 1 year ago.

Hi Jamie,

I want to understand my position. I need to know what our liability might be as the providers of the service if the client does not correctly obtain the permission of the respondents to attribute their responses.

I want to make sure that we have adequately mitigated any claim that the individual respondents might have against my company if their data is used inappropiately by the client.

Is it enough in law to have it in writing from the client that they have obtained the permission of each individual to identify their data input or do I need to do anything else.

Does the client need to have written acquiescence from each respondent to confirm their acceptance of the use of the data?

When I go back to the client I need to be able to refer to the relevant sections within the EU and UK Data Protection Acts/Directorate.

Kind regards

Expert:  Jamie-Law replied 1 year ago.

you need to have a clause in the contract giving you an indemnity. That way you are protected. If they refuse to give you an indemnity then you should not use the data.

An indemnity protects you.

In short the law says you need consent from the persons who's data it is you are using.

Can I clarify anything for you about this today please?

Customer: replied 1 year ago.

Hi Jamie,

The indemnity is a catch all but a) it does not answer my question and b) I am not sure that having an indemnity would mitigate any responsibility under the Data Protection framework, which is why I headed my question specifically with this issue.

I also asked in the main question for specific reference to the articles within the act that relate to my issue so that I can quote them to my client.

I also want to know if it is sufficient to have a written statement from the client confirming that everybody has been briefed and agreed to have their data attributed.

In summary you have not really answered my question


Expert:  Jamie-Law replied 1 year ago.

Morning Chris, apologies for the overnight delay.

Under the Act you must satisfy a 'condition for processing'.

This includes consent of the individual.

If you have been given direct consent then all well and good. If the data is being handled by a third party and sent to you then as long as you have a genuine and honest belief that is enough. You can get confirmed in writing from the third party that they have obtained the consent to process the data and indeed that it will be handed to another third party (you).

They need permission from their customers that outside people will process their data. If you do not have this then it can not be done.

The conditions for processing can be found here:

Does that clarify?

Customer: replied 1 year ago.

Hi Jamie,

I didn't receive your message until Saturday and I was away for the weekend, which is a bit weird because I marked it as urgent/important

We process the data, since we have to analyse the data and identify the respondents. We also hold the respondents name and email address as well as the data that they input to the survey, so we are responsible.

You mention that "they need permission from their customers that outside people will process their data. If you do not have this then it can not be done". The target population is my client's staff, not customers (does this make any difference?), and they will know that the data is being processed by a third party.

I've mentioned it a couple of time but I want to know the specific areas with the Directorate that this relates to. The Directorate is the European power which supercedes the UK Data Protection. The link you provided is to the UK Information Commissioner. Does this incorporate European Directorate law? (I could find no reference to the

Expert:  Alex J. replied 1 year ago.

Hi, Thank you for your question and welcome. My name is ***** ***** I will assist you. I reviewed your correspondence here and note your request to understand the position under EU Law - the EU Data Protection does not have direct effect on English Law, that is why we have the Data Protection Act - it is the English expression of the EU requirements under the EU directive. Is your client based in the UK? A starting point may be to see a sample employment contract from the client, normally employment contracts contain the consent needed to process personal data? Are the surveys related to working conditions? When you start the survey is the employ told their data is anonymised?

Customer: replied 1 year ago.

Hi Alex,

Thanks for your input. My understanding is that the Directorate supercedes the UK DPA since it is a Directorate and now enshrined in European Law.

Also I was talking to Jamie and now you have appeared on the scene. This is the first time that another legal expert has taken over a project and I am not sure how this works from a payment point of view, so I would just like to understand where I stand in terms of fees for this project?

So could you please clarify before I waste your precious time and effort on this matter?

Kind regards

Expert:  Alex J. replied 1 year ago.

Hi, Thank you. My colleague opted out of the question. Data Protection is one of my fields of expertise. The EU Directorate on Data Protection does supersede all other local laws, but only through legislation, your initial complaint, if that is what you have, is dealt with at local level by the Information Commissioner of each country. If the EU wishes to change something they pass new legislation, which is currently happening with the GDPR - General Data Protection Legislation. If your either your client or yourself do not have consent of the employees to use their data then you cannot comply with your client's request retrospectively, you can comply going forward by obtaining consent.

In terms of fees, you do not pay any additional sums for having an additional expert as my colleague opted out. We can continue on this thread for as long as you need to resolve your query. If you would like to leave feedback for me in the mean time I would be most grateful. Kind regards AJ