Re: An affiliate network is an affiliate
The Data Protection Act 1998 is very clear on this issue.
Data is interpreted as "processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—
(a)organisation, adaptation or alteration of the information or data,
(b)retrieval, consultation or use of the information or data
*note (b) specifically covers information automatically retained and its "retrieval and use".
7 Right of access to personal data (1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled—
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller
In other words your keyword data (held by a network but not passed to a merchant) cannot be used by the organisation holding that data without your prior approval and notification.
10 Right to prevent processing likely to cause damage or distress (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b) that damage or distress is or would be unwarranted.
This means that the processing of the information stored on the affiliates activity cannot be processed by the data holder if this causes distress. This can apply to pecuniary loss.
11 Right to prevent processing for purposes of direct marketing (1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
(3) In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
This is primarily to protect the individual from unsolicited correspondence but can also apply in certain circumstances to information contained therein.
THE MAIN POINT:
33 Research, history and statistics (1) In this section—
“research purposes” includes statistical or historical purposes;
“the relevant conditions”, in relation to any processing of personal data, means the conditions—
(a)that the data are not processed to support measures or decisions with respect to particular individuals, and
(b)that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
This means clearly that your keyword data is legally protected. If a network uses that data and you suffer pecuniary loss they are in contravention of section 33.
42 Request for assessment (1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.
If you believe a network is using your keywords it is storing you may ask for an assessment by the Commissioner to discover if this is in fact the case.
Enforcement Notices:
47 Failure to comply with notice (1) A person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence.
(2) A person who, in purported compliance with an information notice or a special information notice—
(a) makes a statement which he knows to be false in a material respect, or
(b) recklessly makes a statement which is false in a material respect,
is guilty of an offence.
61 Liability of directors etc (1) Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
Under the Seventh Principle of the Data Protection Act 1998:
10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
The First Principle declares:
1 The data subject has given his consent to the processing.
2 The processing is necessary—
(a) for the performance of a contract to which the data subject is a party, or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4 The processing is necessary in order to protect the vital interests of the data subject.
5 The processing is necessary—
(a) for the administration of justice,
(b) for the exercise of any functions conferred on any person by or under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.
6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Schedule Three is the clincher commercially:
4 The processing—
(a) is carried out in the course of its legitimate activities by any body or association which—
(i) is not established or conducted for profit, and
(ii) exists for political, philosophical, religious or trade-union purposes,
(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,
(c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and
(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.
So this is my summary:
A network CAN be an affiliate but may NOT use your keyword data.
