The Legal State of Play
Under the General Data Protection Regulation (GDPR), your data can only be processed for “specified, explicit and legitimate” purposes. It also must be kept accurate, up-to-date, and safe. You must also provide your consent for how it can be used. Although companies collecting your data must undertake a DPIA (Data Protection Impact Assessment) as to how that data is used and processed, in the main our investigations show that is not happening.
By using your data in ways that contravene the GDPR, certain third parties are breaking the law.