GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
6(1)(d) – Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent
Recital 46 suggests that this ground may apply to processing that is necessary for humanitarian purposes (e.g. monitoring epidemics) or in connection with
humanitarian emergencies (e.g. disaster response). The recital indicates that in cases where personal data are processed in the vital interests of a person other than the data subject, this ground for processing should be relied on only where no other legal basis is available.
6(1)(e) – Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 6(3) and Recital 45 make clear this ground will apply only where the task carried out, or the authority of the controller, is laid down in Union law or Member State law to which the controller is subject.
6(1)(f) – Necessary for the purposes of legitimate interests
This ground can no longer be relied on by public authorities processing personal data in the exercise of their functions; Recitals 47-50 add more detail on what may be considered a “legitimate interest”. Member States are permitted to introduce specific provisions to provide a basis under Articles 6(1)(c) and 6(1)(e) (processing due to a legal obligation or performance of a task in the public interest or in the exercise of official authority) and for other specific processing situations (e.g. journalism and research). This is likely to result in a degree of variation across the EU.
Further processing
The GDPR also sets out the rules (at Article 6(4)) on factors a controller must take into account to assess whether a new processing purpose is compatible with the purpose for which the data were initially collected. Where such processing is not based on consent, or on Union or Member State law relating to matters specified in Article 23 (general article on restrictions relating to the protection of national security, criminal investigations etc.), the following factors should be taken into account in order to determine compatibility:
any link between the original and proposed new purposes;
the context in which data have been collected (in particular the relationship between subjects and the controller);
the nature of the data (particularly whether they are sensitive data or criminal offence data);
the possible consequences of the proposed processing; and
the existence of safeguards (including encryption or Pseudonymisation).
Art. 7 GDPR Conditions for consent
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration, which constitutes an infringement of this Regulation shall not be binding.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Suitable Recitals
(32) Conditions for consent; (33) Consent to certain areas of scientific research; (42) Burden of proof and requirements for consent; (43) Freely given consent.
COMMENTARY:
One of the major areas of change—and the one that’s been causing email marketers the biggest headache—is the question of how to collect and store consent. GDPR raises the bar to a higher standard of consent for subscribers based in the EU, meaning that the way your brand has collected consent from EU subscribers in the past might not be compliant anymore. GDPR goes beyond the consent required under the EU Privacy Directive, which is currently in effect across the EU. The new regulation requires that brands collect affirmative consent that is “freely given, specific, informed and unambiguous” to be compliant.
Few things you must know about e-mail consent under GDPR
KEEP EVIDENCE OF CONSENT—WHO, WHEN, HOW.
GDPR not only sets the rules for how to collect consent, but also requires companies to keep a record of these consents.
Article 7 (1): “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
In some countries, the burden of proving consent has always been the responsibility of the company that collected the opt-in. For many other marketers, however, this requirement is a new challenge to tackle.
Keeping evidence of consent means that you must be able to provide proof of:
Who consented
When they consented
What they were told at the time of consent
How they consented (e.g., during checkout, via Facebook form, etc.)
Whether they have withdrawn consent
MAKE IT EASY FOR PEOPLE TO WITHDRAW CONSENT—AND TELL THEM HOW TO DO IT.
Article 7(3): “The data subject shall have the right to withdraw his or her consent at any time. It shall be as easy to withdraw as to give consent.”
All major email laws, including CASL in Canada and CAN-SPAM in the U.S., require brands to give their subscribers the opportunity to opt out from receiving emails. Each promotional email you send must include an option to unsubscribe. If you are already compliant with current Canadian, American, or European email laws, you may not have to change much when it comes to this requirement for GDPR compliance. Still, this is a perfect time to revisit your current opt-out process to ensure you’re following best practices:
Don’t charge a fee
Don’t require any other information beyond an email address
Don’t require subscribers to log in
Don’t ask subscribers to visit more than one page to submit their request
KEEP CONSENT REQUESTS SEPARATE FROM OTHER TERMS & CONDITIONS.
Email consent must be freely given—and that’s only the case if a person truly has a choice of whether or not they’d like to subscribe to marketing messages. If subscribing to a newsletter is required in order to download a whitepaper, for example, then that consent is not freely given. Under GDPR, email consent needs to be separate. Never bundle consent with your terms and conditions, privacy notices, or any of your services, unless email consent is necessary to complete that service.
Article 7(4): “When assessing whether consent is freely given, utmost account shall be taken of whether… the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
CONSENT REQUIRES A POSITIVE OPT-IN. DON’T USE PRE-TICKED BOXES.
For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent aren’t valid under GDPR.
CHECK YOUR CONSENT PRACTICES AND YOUR EXISTING CONSENTS.
Recital 171: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”
GDPR does not only apply to signups that happen after May 25th, it applies to all existing EU subscribers on your email list. If your existing subscribers have given you consent in a way that’s already compliant with GDPR—and if you kept record of those consents—there’s no need for you to re-collect consent from those subscribers. If your existing records don’t meet GDPR requirements, however, you have to take action.
Audit your existing email list.
Figure out who on your email list already provided GDPR-compliant consent, and ensure that you have a clear record of those consents.
Implement a re-permission program
If for any of your contacts you don’t have GDPR-proof consent—or if you are unsure about whether or not their consent is compliant—you’ll have to run a re- permission campaign to refresh that consent, or remove the subscriber from your mailing list.
Art. 8 GDPR Conditions applicable to child's consent in relation to information society services
Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
Suitable Recitals
(38) Special protection of children's personal data.
COMMENTARY:
GDPR IMPLEMENTATION IN RESPECT OF CHILDREN’S DATA
While Article 8 of the GDPR imposes specific conditions to a child’s consent in relation to the offer of information society services directly to a child, other legal processing bases are still applicable and sometimes more appropriate to the processing of children’s data.
The offer of an information society service directly to a child neither means “offered exclusively” to a child nor does it mean “made available” to a child. Rather,
it is a contextual determination that must be made through an appropriate risk- based test.
A risk-based test to determine whether an information society service is offered directly to a child should be developed within the framework of the GDPR, taking into account whether the offering is made intentionally attractive to children.
A widely recognised, effective and reliable method of parental verification, which can be applied globally should be supported by regulators and developed together with industry.
Where the holder of parental responsibility gives or authorises consent for processing a child’s personal data under Article 8, such consent should remain valid when the child attains the age of digital consent.
Organisations should have the flexibility to provide transparency and notices in the way they think is most appropriate to cater to their specific audience, taking into account that the audience may include young children.
In general, the processing of personal data of children for advertising to them is not sufficient to rate the processing as high risk and there should be no preconceived notion to the contrary.
The importance of a consistent approach to implementing national age thresholds should be emphasised by data protection authorities in line with the GDPR’s goal of harmonisation. This is particularly relevant as Member States finalise their national data protection laws implementing the GDPR.
The age at which children can exercise their rights under the GDPR (apart from consent under Article 8) turns on questions of competence, which are issues of Member State law.
Providers of information society services, which fall within the scope of Article 8, should be permitted to rely on legitimate interest for the continuation of services to children, who previously consented to processing by the service, after 25th May 2018, provided the requirements surrounding the use of the alternative legal basis are met.
Art. 9 GDPR Processing of special categories of personal data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or
Comments (0)