The international law firm Taylor Wessing has long focussed on implications of the EU’s new General Data Protection Regulation (GDPR). Within the framework of the GDPR, the firm highlights some new obligations regarding obtaining proper consent to the processing of personal data. In this area, particular attention should be drawn to the fact that consent must be freely given, specific, informed and, above all, unambiguous. Consent forms should be written in plain, simple and clear language. Taylor Wessing Praha partner Karin Pomaizlová, an expert on the GDPR, draws attention to key obligations arising from regulation in the area.
Proper consent to the processing of personal data
In addition to the above, the personal data administrator must be able to document every step of the processing of the personal data to which such consent relates. This does not mean that it must always only be in written form. However, a consent form must be distinct from other content, ideally within a separate document or, if online, a separate "window". If appearing on the web, it should not be part of any contract or an agreement to accept general business terms and conditions. Prior to granting consent, the person concerned shall be informed of the possibility to freely withdraw such consent at any time, resp. that there is no obligation to grant consent but if granted, at any time the person in question may revoke it. Consent is not deemed freely given if the performance of a contract is conditional upon granting such consent. Pomaizlová adds: "The fundamental informational obligations and guidelines are basically similar to the existing legal regulations pursuant to Act No. 101/2000 Coll., On the Protection of Personal Data. However, with regard to the novelties in this area, we would like to draw attention in particular to the extension of the information requirement regarding the data subject's right to the portability of personal data and right to file a complaint with the supervisory authority."
In contrast to earlier legal regulation, under the GDPR emphasis is placed on the fact that consent is not required where the data are processed on another legal basis (conclusion and performance of the contract, fulfillment of legal obligations, legitimate interests of the trustee, etc.). In particular, the purpose of the processing of personal data, and who the recipient of such data is, should be presented in a concrete and unambiguous terms.
In order for consent to be freely given, the person concerned should be able to decide freely on the praticular ways these data are processed. Therefore, consent should be structured so that the individual can decide whether or not to give consent to the provision of personal data for a particular processing. For example, an e-shop customer should be able to decide whether or not to give consent for marketing purposes to the processing only of his / her phone number, only of his / her email, or to both these contact details.
How to ensure a business has a valid consent process
Companies must assess whether their existing consent process is compliant with the GDPR, i.e., in particular, they must determine whether they actually are requiring consent, or processing personal data, for other legal reasons; whether it is linked to acceptance of General Terms and Conditions; and whether the purpose of personal data processing and the recipient thereof is sufficiently defined.
How to ensure the regular renewal of consent
This can differ greatly. It depends on established practice, whether a company communicates with its customers by email or otherwise, and for what purpose it needs their consent. Certainly, it is not recommendable to send emails requesting consent, since in this case (in the absence of an earlier valid consent) that would be an unsolicited commercial communication in violation of Act No. 480/2004 Coll., On Certain Information Society Services.
How to properly protect employees' personal data, whether in electronic databases or “physhical” form
There is no universal model. Each company must perform an evaluation itself, and consult with experts in cyber security and security in general. Companies are required to secure personal data, especially against unauthorized access, alteration, disposal or copying. This means, above all, defining what circle of people have legitimate access to these data and what their respective powers are. Digital files at a minimum must be password protected. It is also possible to manage some personal data in a database not connected to the Internet. The employer can, for example, technically prevent the use of a USB port to copy files. It is assumed that personal data will be backed up in another location (e.g. in case of water damage or floods). Physical documents containing personal information at minimum should be stored in locked cabinets and in a locked room. Consideration may also be given to the use of fireproof safes or the electronic secure storage of documents.
Advantages / Disadvantages of the GDPR for end users
Pomaizlová summarizes: "Clearly positive is the emphasis on freely given consent and the prohibition to condition the delivery of goods or provision of services upon the granting of consent to the processing of personal data, which is often the case today, for example in e-shops. Another interesting novelty is the right to transfer personal data. End users, resp. data subjects, individuals, should benefit from greater respect for their privacy and personal data. "