Expert Advice Community

Guest

Need for consent

  Quote
Guest
Guest user Created:   May 04, 2021 Last commented:   May 11, 2021

Need for consent

I have attended few of your webinars over GDPR. I have a question for you hope you will help me. GDPR says consent is not required is a contract is signed. If a Bank says Account Opening form, filled by customer is a legal contract with Bank, so they dont need customer consent to control and process data. Is it correct? As per my understanding consent is different from AoF. Can you please guide me with GDPR references that still Bank need consent.

0 1

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò May 05, 2021

Data processing can be based on consent (art. 6 paragraph 1 lett. a GDPR) or "when processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;" (art. 6 paragraph 1 lett. b GDPR).

Filling the form of the bank in order to open a bank account is among the necessary steps to enter into a contract, therefore the Bank can process your personal data. Of course, data can be processed only for contractual related activities, the bank needs your consent to process your data for other reason as marketing or profiling.

Consider also that the bank doesn't need your consent when "processing is necessary for compliance with a legal obligation to which the controller is subject" (art. 6 paragraph 1 lett. c GDPR) I.e, in the execution of anti-fraud, anti-laundering, anti-terrorism regulations.

Here you can find more information about the legal basis for processing data:

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 1
Guest
Guest user May 10, 2021

hanks for your response, I am now clear that if any form of contract or agreement signed between controller and data subject, it does not require specific consent. Specially if bank has signed account opening forms or product and services forms, then specific consent is not required. 

1 - With this understanding I have another question, is Bank allowed to share/process data via third parties without specifically mentioning in the form/contract at the time of customer on-boarding, to fulfill the contract? Or bank can share a privacy notice on their website that bank will process your data via third parties?

2 - Is it mandatory for the organization/bank to mention the name/region of third-party data processor specially if it is a non-EU state? 

3 - Can any organization mention term "we may share your data to third-party service providers" or it has to be specific by mentioning the service outsourced, name and region of the service provider? And where it has to be clarified at the time of contract or via privacy notice?

Thanks and looking forward for your expert opinion

Quote
0 0
Expert
Alessandra Nisticò May 11, 2021

"Thanks for your response, I am now clear that if any form of contract or agreement signed between controller and data subject, it does not require specific consent. Specially if bank has signed account opening forms or product and services forms, then specific consent is not required.1 - With this understanding I have another question, is Bank allowed to share/process data via third parties without specifically mentioning in the form/contract at the time of customer on-boarding, to fulfill the contract? Or bank can share a privacy notice on their website that bank will process your data via third parties?

The bank can share data with third-party processors, but in the privacy notice the bank should mention that data will be shared and for what purpose. The privacy notice should be given with the contract because the data subject should be able to know what data will be processed and how in the contract relationship.

2 - Is it mandatory for the organization/bank to mention the name/region of third-party data processor specially if it is a non-EU state?

The bank should declare if data will be transferred outside the EU and what are the legal basis of data transfers and the destination of data. If the destination is several countries they should write to contact them to know the exact list of countries and the safeguards implemented.

3 - Can any organization mention term "we may share your data to third-party service providers" or it has to be specific by mentioning the service outsourced, name and region of the service provider? And where it has to be clarified at the time of contract or via privacy notice?Thanks and looking forward for your expert opinion"

The privacy notice is the document where all this information should be given. The controller doesn’t need to be specific if third-party processors are different (they may also change), but the data subject is allowed to contact the controller to know who are the processors.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 04, 2021

May 11, 2021

Suggested Topics

Guest user Created:   Mar 17, 2021 EU GDPR
Replies: 3
0 0

Need of explicit consent

Guest user Created:   May 20, 2020 EU GDPR
Replies: 2
0 0

Is customer consent needed?

Guest user Created:   Jun 29, 2018 EU GDPR
Replies: 1
0 0

Is consent needed?