Recital - 32.
Conditions for Consent
Executive Summary
Consent should be clearly given, collected and stored. The controller's identity;
The purpose of each of the processing operations for which consent is sought;
The types of data that will be collected and used;
The existence of the right to withdraw consent;
Information about the use of the data for decisions based solely on automated processing, including profiling, in accordance with Article 22(2) ; and,
If the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards (Article 49(1)(a)).
To ensure that this information is conveyed in a manner that remains clear, concise and not unnecessarily disruptive, the use of layered and just-in-time notices should be favored. However, it is important to note that the initial layer contain all of the key information needed for there to be an informed choice.
Quick Wins
Keep a record of consent statements received, so [the controller] can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time. [and] also be able to show that the data subject was informed and the controller's workflow met all relevant criteria for a valid consent.
With that guidance in mind, and from a practical standpoint, consider keeping records of the following:
The name or other identifier of the data subject that consented;
The dated document, a timestamp, or note of when an oral consent was made;
The version of the consent request and privacy policy existing at the time of the consent; and,
The document or data capture form by which the data subject submitted his or her data.
Consent receipt mechanisms can be especially helpful in automatically generating such records.
Recital Text
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.Silence, pre-ticked boxes or inactivity should not therefore constitute consent.Consent should cover all processing activities carried out for the same purpose or purposes.When the processing has multiple purposes, consent should be given for all of them.If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
, 33
Recital - 33.
Consent to Certain Areas of Scientific Research
Executive Summary
If there is a chance that the controller may use the collected data for scientific or statistical research, separate consent needs to be collected for that activity.
Recital Text
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection.Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
, 58
Recital - 58.
The Principle of Transparency
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.Such information could be provided in electronic form, for example, when addressed to the public, through a website.This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
, 60
Recital - 60.
Information Obligation
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling.Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.Where the icons are presented electronically, they should be machine-readable.
, 61
Recital - 61.
Time Of Information
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case.Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient.Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
, 73
Recital - 73.
Restrictions of Rights and Principles
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Executive Summary
A policy should be created and followed stating that a consent form should be created for each separate business purpose, with clear and concise language laid out in a simple form with no pre-checked consent boxes. The consent form should also explain the purpose for processing, types of data that will be collected, the existence of right to withdrawal from consent, and the risks around data transfers if applicable. This form should be presented at the time of data collection.
Article ID: 288
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-conditions-for-consent-consent-form-policy-288.html