Due to the approaching date of GDPR, entrepreneurs should verify whether the mechanisms used so far to collect and process data are in line with the new regulation. What necessary changes should therefore be made?
The work of many businesses is based on the use of data shared by customers or partners. So far, representatives of various organizations have had a fairly lighthearted approach to the question of consent to the processing of data. From 25 May 2018, all European Union Member States will be required to apply the General Data Protection Regulation (GDPR). This document contains the definition of consent, which remains unchanged (and it is precisely defined in Article 4, paragraph 11 GDPR), and only the way it is expressed and received has been modified. And this can be quite problematic. The Personal Data Administrator (PDA) is under the obligation to prove consent to the processing of personal data. PDA must store and catalogue the documents through which he/she will at all times be able to prove that he/she has a legal basis for the proper processing of the data.
Not so easy to agree
General terms and conditions which should be included in the consent to the processing of personal data are specified in art. 7 of GDPR. This consent must be granted before the actual processing of personal data begins. This can be done in written or verbal form. Consent may be obtained electronically, e.g. in a situation when the user is browsing a website with a checkbox which she/he individually marks. Verbal agreements are also worth mentioning here. When they are considered, the Personal Data Administrator is obliged to prove that the consent was actually obtained in compliance with the procedures of GDPR.
Analyzing GDPR and the compliance regulations, it is possible to distinguish its characteristic features. As mentioned before, it should certainly be provided by a clear affirmative action or statement made in writing or verbally. Situations in which no objection from the recipient is treated as consent to the processing of data are unacceptable. Consent to the processing of personal data cannot be presumed or implied from another declaration of will, i.e. it must be submitted separately. Only a document that clearly speaks of data processing in a specific situation and at a specific time is fully legal. Consent must therefore be separated from all other declarations made by the recipient. At the same time it must be:
- fully voluntary (free of any extortion, threats or acts of blackmail)
- specific (specifying the exact purpose of the processing)
- aware (the user openly communicates that he/she knows what he/she agrees to and what he/she disagrees with)
- expressed without coercion (consent should be expressed voluntarily)
How should processing of data alert look like?
It is now common practice among Personal Data Administrators to automatically place checkboxes (marked by default) on websites. This is an illegal procedure in the light of the Regulation. It will also be prohibited to accept the following as consent : the silence of the recipient, failure to take specific action or the abandonment of a specific action by him/her.
The message about the processing of personal data must be formulated in a simple, concise and understandable manner for the average recipient. It is unacceptable to define the purpose of data processing for the data subject too generally. The consent should concern all processing activities carried out for the same purpose or purposes. If the processing serves different purposes, then consent for every single purpose is needed. In addition, you may not require consent to the processing of personal data when it is not necessary to provide the service. This raises issues of companies requiring their clients to agree to the processing of personal data for marketing purposes under the pressure of not completing a commercial transaction. This is inconsistent with GDPR and violates the right to make decisions freely.
The person transferring personal rights has the right to request the Administrator to:
- provide the address of the registered office and its full name (in the case when the PDA is a natural person, they must give their name, surname and address),
- present the purpose, scope and consequences of data collection,
- provide the motive and source of the collected data,
- respect the right to permanent access to the content of the transferred data and the right to update it,
- respect the rights arising from Art. 32, sec. 1, points 7 and 8 (e.g. the right to transfer data, to object or to be forgotten).
Will the data processing consent expressed today be valid for GDPR?
Data processing under the current rules of consent seems to be a little problematic. The validity of a statement of will submitted prior to GDPR, and the possibility of legalizing the processing of personal data on the basis of the consent, in the light of the new provisions will be subject to an additional requirement: to inform the person giving such consent of the possibility of its withdrawal at any time. Such information must be addressed to that person even before that statement is made.
In conclusion, the new rules do not entail revolutionary changes. The same principle of acquiring consent remains essentially unchanged, and the principle of acquiring it has been extended.