The underside of a lawfully information

GDPR obliged on his article 5-1 to require only lawfully informations. But, what does this notion contain and what are its consequences?

0

The underside of a lawfully information: the automatic need for consent?

The GDPR requires, to process valid personal data, to comply with the lawfulness obligation. In other words, there must be a legal basis to support collection.

What is the legal basis for my collection?

The GDPR indicates it may be the consent of the individual whose information is being collected. But, what if consent has not been given?

Indicates that this may be the consent of the individual whose information is being collected. But what if consent has not been given? Is treatment necessarily prohibited?

Clarification on this notion of consent…

1 – Consent not required

 

There are cases in which, although consent is not required, the processing of the data (ref art. G) will still be valid.

These assumptions are as follows:

  • The processing is necessary for the execution of the contract.

ATTENTION, it is an obligation that the treatment is REALLY necessary …

Practical advice: see if without the information collected the contract can still be fulfilled. If this is the case then, the information is not necessary and consent will be mandatory.

In practice: for example, the postal address for a delivery is necessary for the realization of the purpose of the contract.

Nota bene : to be completely exhaustive, processing may also be necessary for pre-contractual measures.

  • The processing is necessary to comply with a legal obligation to which the controller is subject.

In practice: for example, certain information must be collected by the employer for payroll purposes in order to be transmitted to the concerned organizations. In this case, the employer will not have to seek the consent of its employees.

  • The processing is necessary to safeguard the vital interests of the data subject.

In practice: for example, doctors will have certain information to achieve the vital needs of their patients, (which will also be necessary because of the purpose of the contract).

  • The processing is necessary for the performance of a mission of public interest.

 

  • Processing is necessary for the legitimate interests pursued by the controller or by a third party.

In other words, it must be examined whether the reason for collection by the controller justifies the infringement of the data subject’s fundamental rights and freedoms. A weighing must be carried out in order to protect the natural person in the set up collection.

Unfortunately you don’t fit into any of these categories? You MUST obtain consent.

2 – Consent required

 

As soon as consent is required, you must give the person the following information if you want to be compliant with the GDPR :

  • Identity / contact details of the data controller

Purpose of the file: the purpose of any file must be determined, legitimate and explicit (example: you must inform the person that the collected data will be for customer management, satisfaction survey…)

  • Data recipients

You must be able to indicate who will be the main recipient of the data but also be able to inform about who will have access to the collected information.

  • Mandatory or not

You must inform the person of the consent consequences, (if this entails a contract or not for example) but also the consequences in case of failure to respond (if consent is not given and the purpose of the levy is contractual then the contract is not concluded and its realization can not take place)

  • Person’s rights (right of access, right of rectification, right of opposition…).

The possibility of exercising these rights must be expressly mentioned to the person who must consent.

  • Data transfer outside the territory of the European Union

You must inform persons about your wishes to transfer his data outside the European Union territory.

Attention: once persons had been informed of all these details, they will be able to consent to the treatment you indicate. This consent applies only to the treatment stated. In other words, if you intend to change the terms of it, a new consent must be requested (example: you did not initially intend to process data internationally and now you want to transfer them outside the territory, you must obtain a new consent).

3 – Form of consent

 

Article 4-11 of the European Regulation states that it  is: “any unequivocal expression of specific and enlightened free will by which the person accepts, by a clear positive declaration or act, that personal data concerning him/her are being processed“.

What does that mean?

Free + Specific + Illuminated + Univocal/ Clear

  • Free: the person MUST be given a real choice.

In practice: the fact of not giving consent must not prejudice access to the service. The consumer who has not given consent must be treated as the consumer who has given consent.

  • Specific: consent to treatment must be detached from any other consent.

In practice: for example concerning the General Terms and Conditions of Sale: it is obligatory to distinguish consent to the General Terms and Conditions of Sale from consent to data processing (color code, change of writing, etc.) so that the consumer clearly understands what he is committing himself to.

Nb : we must find here the correlation to the principle of transparency….

  • Enlightened: it is obligatory to give the person all the necessary information so that he can consent.

Nb : we must find here the correlation to the principle of transparency….

  • Univocal/clear: consent must be unambiguous.  That is why opt-outs are not valid; real consent is required.

4 – Burden of proof

It is belonging to the company that collected data to prove that consent was given under the required conditions and not for the customer to prove that he did not give his consent. It is therefore fundamental for companies not to create ANY ambiguity regarding the conditions under which consent was obtained.

Nb : if the previously given consent meets all these conditions, it is not necessary to request a new consent. A contrario, a reiteration of consent is mandatory.

More

Comment

Your email address will not be published.