LOGBOOK

HELP

Quiz Entry - updated: 2026.06.07

Is all of this even legal? What does data protection law say about systematically collecting publicly available information?

OSINT creates personal data through combination, and both the DSGVO and revDSG impose purpose limitation, proportionality, and transparency obligations on anyone who collects it.

Personal data through combination. This is the crucial legal concept. Even if individual data points aren't personal data on their own, OSINT often creates personal data by combining multiple public sources. The moment a collection of facts can identify a specific person, it becomes personal data and triggers full data protection obligations.

Purpose limitation. DSGVO Article 5 Paragraph 1b and revDSG Article 6 Paragraph 3 both require that data be collected for specified, explicit, and legitimate purposes. You can't gather OSINT data "just in case" or for undefined future use.

Legal gray zones. Courts have recognized an important principle: the legality of access does not guarantee the legitimacy of collection. Just because information is publicly accessible doesn't mean you're allowed to systematically harvest it. Automated mass collection of public data can violate privacy rights even though each individual data point was freely accessible.

Bottom line: just because you can access data doesn't mean you're legally permitted to systematically collect, combine, and analyze it. The scale and method of collection matter as much as the accessibility of the source.

From Quiz: PRIVACY / TOM and OSINT | Updated: Jun 07, 2026