Leaked personal data can only be used to protect a data subject's best interests, even if that information is publicly available.
Online data found by Echosec Systems can be present with or without data subject consent. The GDPR defines a data subject as “any person whose personal data is being collected, held or processed.”
Most personal data found on the internet is there with the data subject’s consent. This includes public social media posts, news articles, and community content. As long as these posts are still present on the source website, you’re free to read and act on them according to the rules of that website.
Some data on the internet, however, is there without the data subject’s consent or knowledge. This includes data leaked from a breach or stolen through criminal activity. Under the GDPR, you may use this data only if you are protecting the vital interests of the data subject or another natural person. For example, a law enforcement agency investigating hackers behind a breach, or a personal security team protecting their clients from identity theft, have lawful justification to process personal data whose subjects did not consent to its release. Note that viewing and storing data are two separate things—you should not store data if your use case does not require it.
Echosec Systems collects use cases from its customers in part to verify the data types you will process and the reasons for that processing. Our own privacy compliance requires us to monitor your searches to ensure your processing is lawful.
Echosec Systems can’t speak to the intricacies of every nation’s privacy laws. If you’re unsure about the regulations that apply to your country or industry, you should talk to your own legal team.