Hi, Does anyone know whether or not mailing lists can be used if the company who sell them are stating they are GDPR compliant and all prospects have opted in. What evidence would we, as a company, need to hold to evidence that
First of all you would need to be provided with the consent form used for collecting consent form the data subjects. Consent has to be freely given, specific, informed and unambiguous indication of the individual’s wishes and you as the controller must keep records so you can demonstrate that consent has been given by the relevant data subject.
Basically you would need to be able to link any individual to a consent form /consent giving process (if the consent was provided online).
The consent itself must be:
· Written in plain language - A request for consent must be in an intelligible and accessible form in clear and plain language ;
· Separate - where the request for consent is part of a written form, it must be clearly distinguishable from other matters;
· Affirmative action - The consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not allowed;
· Catch all consent is not allowed- If the relevant processing activity has multiple purposes, consent must be given for all of them. For example, it would not be possible to rely on performance of a contract when providing services to an individual and obtain a separate consent for direct marketing.
· No detriment - Consent will not be valid if the individual does not have a genuine free choice or if there is a detriment if they refuse or withdraw consent.
· No power imbalance - Consent might not be valid if there is a clear imbalance of power between the individual and the controller, particularly where the controller is a public authority.;
· Unbundled consent - You cannot “bundle consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately;
· Not tied to contract - Consent is presumed not valid if it is a condition of performance of a contract;
· Withdrawable - The individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it
So, in a nutshell you would need to benchmark the consent with the conditions bellow and if all of them are complied with that the consent would be valid as per the EU GDPR requirements.