Ms Helen Dixon:

I thank the Senator for his interesting question. In a hypothetical scenario, it is difficult to imagine what legal basis any data controller would have to create a centralised database from varied sources without the knowledge of data subjects. The first question to be asked is what is the legal basis for the creation of the database - the procuring of it from other sources. Under Article 14 of the GDPR, if a data controller obtains data indirectly, not directly from the data subject, the data controller has an obligation as soon as possible thereafter to inform the data subject. Typically, that would be an obligation on the data controller.

Fred Logue Associates earlier also referenced Advocate General Bobek from a Rigas case from the Court of Justice of the European Union from 2016. That is a case where in his opinion the Advocate General said it was these data sets that were of primary importance and the primary purpose of data protection law, and the reason it is of primordial importance. I am not sure what is behind the hypothetical scenario the Senator presented but it would certainly be something that would be of interest to us, as a regulator, in terms of how it could be compliant.