1. “as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual”: what does this mean exactly? A copy of the request by email for example, or of the completed subscription form?
2. Second database (stakeholders mapping): “No consent is needed, you just need to provide them with a Privacy Notice”: does this mean that as soon as we gather professional data from an individual, this person has to be aware of it?
3. Second database (stakeholders mapping): the processing doesn’t seem to respect the conditions you list at the very end, as there is no consent (and, if I understood correctly, no need for it). Can we understand “legitimate interests” as the necessary actions taken by an organisation to conduct its activities? If that is not the case, is it really possible to make a stakeholders mapping compliant with the GDPR?
1. It can be the ones you mentioned, it could be the activity logs if the consent was given in the online environment. There are various types of records you can keep and these are closely linked with the channels you use to collect the consent from the data subjects.
- within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
- if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
2. If you want to rely on “legitimate interest” you would need to perform a Legitimate Interest Assessment which is a basic assessment of the processing activity against the rights and freedoms of the data subjects concerned.
Usually a Legitimate Interest Assessment is structures into three areas:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?