Recital - 32.
Conditions for Consent
Executive Summary
Consent should be clearly given, collected and stored. The controller's identity;
The purpose of each of the processing operations for which consent is sought;
The types of data that will be collected and used;
The existence of the right to withdraw consent;
Information about the use of the data for decisions based solely on automated processing, including profiling, in accordance with Article 22(2) ; and,
If the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards (Article 49(1)(a)).
To ensure that this information is conveyed in a manner that remains clear, concise and not unnecessarily disruptive, the use of layered and just-in-time notices should be favored. However, it is important to note that the initial layer contain all of the key information needed for there to be an informed choice.
Quick Wins
Keep a record of consent statements received, so [the controller] can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time. [and] also be able to show that the data subject was informed and the controller's workflow met all relevant criteria for a valid consent.
With that guidance in mind, and from a practical standpoint, consider keeping records of the following:
The name or other identifier of the data subject that consented;
The dated document, a timestamp, or note of when an oral consent was made;
The version of the consent request and privacy policy existing at the time of the consent; and,
The document or data capture form by which the data subject submitted his or her data.
Consent receipt mechanisms can be especially helpful in automatically generating such records.
Recital Text
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.Silence, pre-ticked boxes or inactivity should not therefore constitute consent.Consent should cover all processing activities carried out for the same purpose or purposes.When the processing has multiple purposes, consent should be given for all of them.If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
, 33
Recital - 33.
Consent to Certain Areas of Scientific Research
Executive Summary
If there is a chance that the controller may use the collected data for scientific or statistical research, separate consent needs to be collected for that activity.
Recital Text
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection.Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
, 58
Recital - 58.
The Principle of Transparency
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.Such information could be provided in electronic form, for example, when addressed to the public, through a website.This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
, 60
Recital - 60.
Information Obligation
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling.Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.Where the icons are presented electronically, they should be machine-readable.
, 61
Recital - 61.
Time Of Information
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case.Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient.Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.
, 63
Recital - 63.
Right Of Access
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided.Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing.Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.However, the result of those considerations should not be a refusal to provide all information to the data subject.Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
, 65
Recital - 65.
Right of Rectification and Erasure
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject.In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet.The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child.However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
, 67
Recital - 67.
Restriction of Processing
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website.In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed.The fact that the processing of personal data is restricted should be clearly indicated in the system.
, 73
Recital - 73.
Restrictions of Rights and Principles
Executive Summary
Explain to your data subject: What you collect, how you collect it, why you collect it, how it is used, and how long you keep it. It is also advisable to give them your DPO contact information if they have questions or want to review their data.
Recital Text
Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Executive Summary
A policy should be created and followed stating that a consent form should be created for each separate business purpose, with clear and concise language laid out in a simple form with no pre-checked consent boxes. The consent form should also explain the purpose for processing, types of data that will be collected, the existence of right to withdrawal from consent, and the risks around data transfers if applicable. This form should be presented at the time of data collection.
Article ID: 297
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject-consent-form-policy-297.html