• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

GDPR written consent requirements

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    GDPR written consent requirements

    I attended a local Chamber of Trade today to be further informed of GDPR requirements on SMEs and Local Government procedures.

    We were determinedly told by a supposedly knowledgeable person that a physically signed consent is required by all EU users rather than a user selected tick box giving consent for information to be stored and used.

    I (again) determinedly stated that the physical signing was not required but was told it definitely is a requirement.

    Am I wrong, is a physical signature required under any conditions.

    #2
    They are wrong.

    There should be a clear request for consent and no pre-ticked boxes are to be used.

    I think they probably got confused by the ‘no pre-ticked box’ reference and took it to mean no boxes can be ticked.

    https://ico.org.uk/media/about-the-i...ion-201703.pdf
    "I can put any old tat in my sig, put quotes around it and attribute to someone of whom I've heard, to make it sound true."
    - Voltaire/Benjamin Franklin/Anne Frank...

    Comment


      #3
      Also wrong that Consent is the only option.

      There are 6 criteria under which lawful processing can take place, consent is only one if them.

      (a) Consent:*the individual has given clear consent for you to process their personal data for a specific purpose.
      (b) Contract:*the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
      (c) Legal obligation:*the processing is necessary for you to comply with the law (not including contractual obligations).
      (d) Vital interests:*the processing is necessary to protect someone’s life.
      (e) Public task:*the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
      (f) Legitimate interests:*the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

      For the other 5 you need to provide a clear, unambiguous Privacy Statement that details what information you will hold, why you hold it, who it may be shared with and what you will do with it. You also have to give the individual the following rights relating to the information you hold.

      the right to be informed
      the right of access
      the right to rectification
      the right to erasure
      the right to restrict processing
      the right to data portability
      the right to object
      the right not to be subject to automated decision-making including profiling.
      "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

      Comment


        #4
        If you want to go to the source material Article 7 of the GDPR covers consent in conjunction with Recital 32

        Article 7 states :

        Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

        If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

        The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

        When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
        Recital 32 states:

        Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

        This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.

        Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

        Consent should cover all processing activities carried out for the same purpose or purposes.

        When the processing has multiple purposes, consent should be given for all of them.

        If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
        Recitals 33, 42 and 43 give further context.
        Last edited by DaveB; 22 March 2018, 09:08.
        "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

        Comment


          #5
          Originally posted by DaveB View Post
          If you want to go to the source material Article 7 of the GDPR covers consent in conjunction with Recital 32

          Article 7 states :



          Recital 32 states:



          Recitals 33, 42 and 43 give further context.
          Even that isn't clear

          When the processing has multiple purposes, consent should be given for all of them.
          Does this mean I can ask once for all purposes or should they be separated out individually - I ask as I'm seeing people doing both.

          Comment


            #6
            Originally posted by madame SasGuru View Post
            Even that isn't clear



            Does this mean I can ask once for all purposes or should they be separated out individually - I ask as I'm seeing people doing both.
            You can do either. The important bit is that you make it clear what they are consenting to in, clear and unambiguous language, and the consent is freely given.

            What you can't do is get consent for one thing and then use the data for something else without telling the subject or their consenting to it.
            "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

            Comment


              #7
              Originally posted by cojak View Post
              There should be a clear request for consent and no pre-ticked boxes are to be used.

              I think they probably got confused by the ‘no pre-ticked box’ reference and took it to mean no boxes can be ticked.
              This was my thoughts. Tick box is fine but the person needs to consciously tick to opt in, rather than default is it's ticked.

              Comment

              Working...
              X