Is explicit consent request necessary?
I would like to express my appreciation towards you continual help regarding GDPR and other regulatory requirements. I find all of them very helpful and insightful.
I have only just taken over some GSPR responsibilities along with other duties and my GSPR knowledge is quite limited at the time being – I am trying to broaden my knowledge as much as I can. As I am trying to review our Privacy Policy I was hoping you could kindly give some advice, if possible.
We manufacture medical devices and some of them are adapted in order to meet customers` needs. To do so, we require minimal health information, just to help us design and manufacture the device. There is a form that is filled in with the information required either by customers (most of the time) or by us and reviewed by customers. This forms never leave the offices and they are saved in password protected folders. Also, when we process this information we do not assign a full name, but a number representing the specific customer or their initials.
Would we need explicit consent request to be added to the forms that contain brief health related information or could this be covered by the Contract lawful basis?
Thank you in anticipation. Any help will be very much appreciated.
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Yes, you need consent to process health data because they are a particular kind of data (so-called sensitive data), and Article 9 GDPR requires a specific consent for that purpose and even if data are pseudonymized (this is a good security measure). In fact, the performing of contract obligation can be a legal ground for the processing of personal data in general, but sensitive data like health data require consent.
Here you can find more information about consent and data processing:
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//
Thank you very much for your reply. How about processing of children`s (under 16) data (both health related and non-health related)? Must companies require explicit content, or is it another lawful basis that could be used (e.g. contract)?
Thank you in advance.
According to Article 8 GDPR, the processing of children’s data requires consent from their parents or from the person holding parental responsibility over them. Even if the legal ground is a contract, the child cannot enter into a contract without parental consent.Recently, some social networks had been fined by Surveillance Authorities because it was not implemented a system to verify the age of the user and require parental consent.
Comment as guest or Sign in
Mar 12, 2021