LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Consent and Privacy notice

  Quote
Guest
Guest user Created:   Apr 10, 2018 Last commented:   Apr 10, 2018

Consent and Privacy notice

If possible, I would just need a few clarifications:
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Apr 10, 2018
1. “as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual”: what does this mean exactly? A copy of the request by email for example, or of the completed subscription form?
2. Second database (stakeholders mapping): “No consent is needed, you just need to provide them with a Privacy Notice”: does this mean that as soon as we gather professional data from an individual, this person has to be aware of it?
3. Second database (stakeholders mapping): the processing doesn’t seem to respect the conditions you list at the very end, as there is no consent (and, if I understood correctly, no need for it). Can we understand “legitimate interests” as the necessary actions taken by an organisation to conduct its activities? If that is not the case, is it really possible to make a stakeholders mapping compliant with the GDPR?

Answers:

1. It can be the ones you mentioned, it could be the activity logs if the consent was given in the online environment. There are various types of records you can keep and these are closely linked with the channels you use to collect the consent from the data subjects.

2. If you are collecting the information directly from the data subject you need to provide the Privacy Notice when you collect the data. However, if you obtain the personal data from a third party ( EU GDPR art. 14 – “Information to be provided where personal data have not been obtained from the data subject” - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/) you need to provide the Privacy Notice based on the following timeline:

- within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
- if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

You can find valuable information about Privacy Notices form our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

2. If you want to rely on “legitimate interest” you would need to perform a Legitimate Interest Assessment which is a basic assessment of the processing activity against the rights and freedoms of the data subjects concerned.
Usually a Legitimate Interest Assessment is structures into three areas:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?

The Information Commissioner Office issued some guidance on legitimate interest - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 10, 2018

Apr 10, 2018

Suggested Topics

Guest user Created:   Mar 26, 2021 EU GDPR
Replies: 3
0 0

NPS form - GDPR Rules

Guest user Created:   Aug 05, 2020 EU GDPR
Replies: 1
0 0

GDPR queries