Due to the approaching date of GDPR, entrepreneurs should verify whether the mechanisms used so far to collect and process data are in line with the new regulation. What necessary changes should therefore be made?

The work of many businesses is based on the use of data shared by customers or partners. So far, representatives of various organizations have had a fairly lighthearted approach to the question of consent to the processing of data. From 25 May 2018, all European Union Member States will be required to apply the General Data Protection Regulation (GDPR). This document contains the definition of consent, which remains unchanged (and it is precisely defined in Article 4, paragraph 11 GDPR), and only the way it is expressed and received has been modified. And this can be quite problematic. The Personal Data Administrator (PDA) is under the obligation to prove consent to the processing of personal data. PDA must store and catalogue the documents through which he/she will at all times be able to prove that he/she has a legal basis for the proper processing of the data.

Not so easy to agree

General terms and conditions which should be included in the consent to the processing of personal data are specified in art. 7 of GDPR. This consent must be granted before the actual processing of personal data begins. This can be done in written or verbal form. Consent may be obtained electronically, e.g. in a situation when the user is browsing a website with a checkbox which she/he individually marks. Verbal agreements are also worth mentioning here. When they are considered, the Personal Data Administrator is obliged to prove that the consent was actually obtained in compliance with the procedures of GDPR.

Analyzing GDPR and the compliance regulations, it is possible to distinguish its characteristic features. As mentioned before, it should certainly be provided by a clear affirmative action or statement made in writing or verbally. Situations in which no objection from the recipient is treated as consent to the processing of data are unacceptable. Consent to the processing of personal data cannot be presumed or implied from another declaration of will, i.e. it must be submitted separately. Only a document that clearly speaks of data processing in a specific situation and at a specific time is fully legal. Consent must therefore be separated from all other declarations made by the recipient. At the same time it must be:

  • fully voluntary (free of any extortion, threats or acts of blackmail)
  • specific (specifying the exact purpose of the processing)
  • aware (the user openly communicates that he/she knows what he/she agrees to and what he/she disagrees with)
  • expressed without coercion (consent should be expressed voluntarily)

How should processing of data alert look like?

It is now common practice among Personal Data Administrators to automatically place checkboxes (marked by default) on websites. This is an illegal procedure in the light of the Regulation. It will also be prohibited to accept the following as consent : the silence of the recipient, failure to take specific action or the abandonment of a specific action by him/her.

The message about the processing of personal data must be formulated in a simple, concise and understandable manner for the average recipient. It is unacceptable to define the purpose of data processing for the data subject too generally. The consent should concern all processing activities carried out for the same purpose or purposes. If the processing serves different purposes, then consent for every single purpose is needed. In addition, you may not require consent to the processing of personal data when it is not necessary to provide the service. This raises issues of companies requiring their clients to agree to the processing of personal data for marketing purposes under the pressure of not completing a commercial transaction. This is inconsistent with GDPR and violates the right to make decisions freely.

The person transferring personal rights has the right to request the Administrator to:

  • provide the address of the registered office and its full name (in the case when the PDA is a natural person, they must give their name, surname and address),
  • present the purpose, scope and consequences of data collection,
  • provide the motive and source of the collected data,
  • respect the right to permanent access to the content of the transferred data and the right to update it,
  • respect the rights arising from Art. 32, sec. 1, points 7 and 8 (e.g. the right to transfer data, to object or to be forgotten).

Will the data processing consent expressed today be valid for GDPR?

Data processing under the current rules of consent seems to be a little problematic. The validity of a statement of will submitted prior to GDPR, and the possibility of legalizing the processing of personal data on the basis of the consent, in the light of the new provisions will be subject to an additional requirement: to inform the person giving such consent of the possibility of its withdrawal at any time. Such information must be addressed to that person even before that statement is made.

In conclusion, the new rules do not entail revolutionary changes. The same principle of acquiring consent remains essentially unchanged, and the principle of acquiring it has been extended.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to hello@sagiton.pl, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: hello@sagiton.pl.

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact