Expert Advice Community

Guest

Is explicit consent request necessary?

  Quote
Guest
Guest user Created:   Mar 10, 2021 Last commented:   Mar 12, 2021

Is explicit consent request necessary?

I would like to express my appreciation towards you continual help regarding GDPR and other regulatory requirements. I find all of them very helpful and insightful.

I have only just taken over some GSPR responsibilities along with other duties and my GSPR knowledge is quite limited at the time being – I am trying to broaden my knowledge as much as I can. As I am trying to review our Privacy Policy I was hoping you could kindly give some advice, if possible.

We manufacture medical devices and some of them are adapted in order to meet customers` needs. To do so, we require minimal health information, just to help us design and manufacture the device. There is a form that is filled in with the information required either by customers (most of the time) or by us and reviewed by customers. This forms never leave the offices and they are saved in password protected folders. Also, when we process this information we do not assign a full name, but a number representing the specific customer or their initials.

Would we need explicit consent request to be added to the forms that contain brief health related information or could this be covered by the Contract lawful basis?

Thank you in anticipation. Any help will be very much appreciated.

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Mar 10, 2021

Yes, you need consent to process health data because they are a particular kind of data (so-called sensitive data), and Article 9 GDPR requires a specific consent for that purpose and even if data are pseudonymized (this is a good security measure). In fact, the performing of contract obligation can be a legal ground for the processing of personal data in general, but sensitive data like health data require consent.

Here you can find more information about consent and data processing:

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0
Guest
Liliana Mar 12, 2021

Thank you very much for your reply. How about processing of children`s (under 16) data (both health related and non-health related)? Must companies require explicit content, or is it another lawful basis that could be used (e.g. contract)?

Thank you in advance.

Quote
0 0
Expert
Alessandra Nisticò Mar 12, 2021

According to Article 8 GDPR, the processing of children’s data requires consent from their parents or from the person holding parental responsibility over them. Even if the legal ground is a contract, the child cannot enter into a contract without parental consent.Recently, some social networks had been fined by Surveillance Authorities because it was not implemented a system to verify the age of the user and require parental consent. 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 10, 2021

Mar 12, 2021

Suggested Topics

Guest user Created:   Jul 07, 2021 EU GDPR
Replies: 1
0 0

Is consent obligatory for our products?

Guest user Created:   May 04, 2021 EU GDPR
Replies: 3
0 1

Need for consent

Guest user Created:   Mar 17, 2021 EU GDPR
Replies: 3
0 0

Need of explicit consent