If your organisation process personal data, then this article is for you.
According to the GDPR, any organisation that process personal data must have the consent of the person. Article 4(11) of the GDPR defines consent as below:
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Here below are the five main points to remember:
1. Given freely.
A person sharing his/her data must do so willingly and should be given the option to refuse. For instance, consent of sharing of data cannot be a condition for using your services. According to Recital 42, “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
However, in situations where you require some form of data from an individual to provide them with your service, such as credit card information to process a transaction, then you are exempted from obtaining consent.
Furthermore, separate consent should be obtained for each data processing operation. For example, a company looking to collect email address for marketing purposes and IP address for website analytics purposes must give individuals the choice to decide which level of information they are willing to disclose.
2. Specific
In the previous example regarding collecting information for two different purposes, the individual use of each data processing activities must be made clear to the disclosing party. The individual must be given the opportunity to consent to each activity.
In addition, if you conduct a data processing activity for several purposes, such as storing email addresses for both marketing and identification purposes, you must obtain consent for each purpose.
3. Informed
Informed consent means that the data subject knows your identity, the data processing activity you are trying to perform, the purpose of the data processing, and can withdraw your consent at any time.
It also means that the request for consent, the description of the data processing activity, and its purpose are described in plain language ("in a clear and plain language, in a clear and easy-to-access format". ). That is, there are no jargon or legal terms. Anyone who accesses your service should understand that you are asking them for their consent.
4. Unambiguous
Unambiguous consent "may include checking a box when visiting an Internet website, selecting the technical settings or other statements or behaviors of information society services, in which case it is clear that the data subject accepts the proposed processing of personal data."
5. Can be Revoked
The GDPR does not specify the agreed shelf life. In theory, a person’s consent is indefinite, although in some cases, the consent is clearly no longer valid or reasonable, or violates certain data processing principles.
However, the data subject has the right to withdraw consent at any time. In addition, you must make it easy for them to do so. Generally speaking, their withdrawal of consent should be as easy as you obtain it.
At Ascentrix Consulting, we can help you review your privacy policy and data protection procedures. Contact us if you feel that you need to review your policies.
If you want to know which countries have data protection policies, click on the link below.
Comments