-2

Our company drafts proposals for construction projects, and shares them with clients via the web. Each proposals gets its own web page and permalink. For the end-user's convenience, we want these pages to be viewable without requiring a login.

The web page for each proposal may display some personally identifiable information about the end-user, including name and (residential) address. The page also displays sensitive information, including loan terms and payments, the cost of the project, and a 3D diagram.

The name and address may be withheld, most people would recognize their house without needing their street address and name displayed.

The URLs of these pages will not be guessable, so our client information won't be trivially harvestable.

Would such a system violate GDPR?

Note: Internal data handling is already in compliance with GDPR, there are adequate physical and technical control, etc. I'm focusing on the "Click to view quote" portion, not a general audit of a system.

Note: I'm looking for state of the practice information, not specific legal advice. This is not the place for legal advice.

Improve this question
1
  • Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on Law Meta, or in Law Chat. Comments continuing discussion may be removed.
    – feetwet
    Commented Jul 9 at 19:14

1 Answer 1

Reset to default
2

Obviously you should listen to your company lawyers, "but people on the internet said so" is never a good defense legally. I also have no idea what kind of data a "proposal" consists of, so that part is a little vague. I will assume it's little to no personal data and consists of fictional future data, something like "we will buy your car for 15k$, this offer is valid until $date".

However, there are already huge companies with legal departments working exactly as you describe. Any logistics company will send you an email with a link that leads to their site, with your information on it. You don't need an account, it will show you when your shipment will arrive, who was the sender and at what address it will be delivered. Basically, skipping the vague "proposal", that is exactly the same data you want to show.

If you make sure that the link you give out is not "guessable" with current technology (lets say a GUID or two) you should be fine. If you add another layer by let's say your user having to enter the email address or home address or any of the data you are about to show when they click the link, then you are on the level of European companies like DHL.

I'm not saying big companies cannot fail or do illegal things, but I see nothing in the GDPR that would prevent it, and it's use is widespread, so if I overloked something, somewhere, someone of the millions and millions of customers of this practice would have said something.

Obviously you need your user's consent to have and process that data in the first place, but I guess they request this process and you will have made them aware and got their consent.

Improve this answer
5
  • Thanks for the notes about state of the practice, that's what I was looking for. I never expected to use anything on SO for legal purposes, and thanks for the reminder. "it's use is widespread," Good point, the shipping example is a good one. In this case, it's user name, physical address (both similar to the shipping example), construction pricing, and some information on typical loans (but no SSNs) for a construction project bid. Nothing terribly sensitive like the example that's often used in GDPR examples, visits to a brothel :)
    – J. Gwinner
    Commented Jun 5 at 9:52
  • The one thing that gives me pause is if the project is at Brad Pitt's house, you're leaking his name and address with a shareable link. Yes, the link would be a UUID or something similar and thus hard to guess. Hmm ... I bet "Brad" orders a lot of stuff on the Internet via his housekeeper's name. Anyway, thanks for the example. I'll mark as the solution if I don't get any other answers soon.
    – J. Gwinner
    Commented Jun 5 at 9:55
  • 3
    Well, in the end, anything is guessable, if you have enough guesses. Username/password is guessable, too. If you have a specific email, a passwort is probably at least as guessable as a random guid. It's not like passwords are safe just because we call them passwords.
    – nvoigt
    Commented Jun 5 at 10:00
  • hah. GUID's would take longer, but agreed. I just checked a random UPS shipment notice, and interestingly it just shows my city, not even an address. Maybe they reorganized. I'll check a few others. At the end of the day, we will hire a GDPR company to help with the audit, but I was trying to nip what I thought was a bad design before we fail an audit, but maybe it isn't so bad. The sales guys REALLY hate passwords. We do have new customers in your country.
    – J. Gwinner
    Commented Jun 5 at 10:08
  • Imagine I work for one of your customers and I go to my boss and tell him “guess what information about our company I just found on the internet”. When you think about GDPR, think about customer retention.
    – gnasher729
    Commented Jun 27 at 7:57

Not the answer you're looking for? Browse other questions tagged .