Hacker News new | past | comments | ask | show | jobs | submit login

Are you sure? I didn't find a clear sentence on this last time I looked. It seems hard to define what is derived data (if they guess that a 20 year old is a student, is that derived data? or just a guess) and I can imagine it leaking information about other people if it involved aggregating together pieces of data from multiple people.

The GDPR says "'personal data’ means any information relating to an identified or identifiable natural person". So as long as this derived data is directly related to a person, the GDPR applies.

More explicitly, the UK's regulator says: "You should however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request."

Huh, thanks for that. So e.g. LinkedIn not providing any information on (say) emails they've scraped seems blatantly illegal too?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact