The Curious Case of Metadata in Personal Data Processing Operations

Metadata is data about data, offering information about the data it refers to. In Microsoft Word, you can find a document’s metadata by clicking File à Info and looking for the fields Pages, Words, Author and so on. It is generally the data you forget to clear when you share a document. Press loves this, because when a public institution shares a Word document, you can see who authored it, who modified it, when it was last modified and so on.

Metadata is heavily used in applications, solutions, websites, web applications, cloud instances, etc. But just like in the Word example I gave above, people forget to delete it or at least to secure it when it is not needed anymore. And this is a huge compliance issue, because if the metadata is inextricably linked to personal data, it becomes personal data according to Regulation 2018/1807 of the European Parliament and of the Council (Framework for the free flow of non-personal data in the European Union).

When personal metadata is processed, it must obey all GDPR principles listed in Article 5: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality. Also, the data controller is accountable for how it chooses to process personal metadata and must make sure that it adheres to “Personal Data by Design and by Default” principle in GDPR (Article 25).

So, what should you do in order to make sure that you are GDPR-Compliant (bear in mind that not only GDPR, but all modern privacy legislation in the world require these steps) while working with metadata?

1. 1.      Map and identify all personal data flows, personal data categories, purposes and legal grounds for processing. This is where you should identify all metadata categories.
2. 2.     Usually, metadata processing is done on legitimate interest, as this data is automatically generated by software or hardware. So, make sure you understand the legitimate interest (WHAT do you want to accomplish), necessity (WHY do you need to generate metadata), proportionality (HOW MANY categories of metadata are necessary and WHY) and what rights and freedoms of data subjects you might impact with your processing.
3. 3.     There should be a balance – legitimate interest versus affected rights and freedoms of data subjects. So make sure you perform an objective assessment to make sure that the processing is not very intrusive – the Italian Data Protection Authority issued a GDPR-fine for Lazio Region in Italy because it was monitoring employees’ emails metadata.
4. 4.     Make sure that the processed metadata is correct and that it is deleted when it is no longer necessary. GDPR establishes that every personal data category must have a retention policy, so metadata is not excepted.
5. 5.     Secure access to metadata – it can be used by hackers to gain access to confidential information. If metadata is exposed, we are talking about a personal data breach with possible negative effects to data subjects, and data protection authorities should be contacted.
6. 6.     Before starting the processing of metadata, make sure you inform data subjects about the fact that you generate metadata and you process it. Inform them in a simple, clear, friendly way by telling them briefly about the purposes and metadata categories (but don’t spend time listing all metadata categories, the privacy notice might become unreadable) and help them understand what benefits they get. Also inform them on their exercisable rights – including the right to object (Article 21) to metadata processing.