Do you already have a website and need to adapt it on the basis of the new GDPR regulation? Consent is one of the privacy obligations provided for by the GDPR and must be requested only in certain cases and respecting specific requirements to be valid. Here are the basic steps to adapt the privacy consent request to the new legislation.
When should consent be requested on a website or app?
The privacy consent request must by law be given before the collection of personal data. By these, we mean any information that can identify users or can lead to their identity.
On the other hand, consent should not be requested when data is collected:
- by a natural person for personal or domestic purposes only;
- exclusively for the execution of a contract (e.g. delivery address for a purchased product);
- by law / public utility (e.g. request for billing data);
- to exercise a legitimate interest (e.g. defending oneself in court, some particular direct marketing activities);
- in case you want to safeguard the vital interests of the data subject or of another natural person.
The user’s freedom of choice in giving authorization for the processing of personal data is fundamental. This means, for example, that it will not be possible to prevent the user from using a service if he does not grant authorization for a particular processing of his data (e.g. if you do not agree to receive the newsletter you cannot be updated). Furthermore, consent must be able to be granted and revoked at any time and with the utmost simplicity.
How to behave in practice for the privacy consent request
In practice, consent to the processing of personal data must be requested for:
- purposes other than those of providing the service by the site (e.g. marketing purposes);
- the use of sensitive data (data relating to health, sexual, religious, political, racial or ethnic origin, trade union membership, as well as genetic data, biometric data, etc.);
- the transfer of personal data to a non-EU country or international organization in the absence of an adequacy decision and adequate guarantees;
- for an automated decision-making process (e.g. profiling)
- for the communication or transfer of data to third parties (e.g. if the data must be sent to the consultant for an advertising campaign).
The owner of a website must keep track of each consent received in an electronic register, so as to be able to demonstrate when and how the user has given it. It must also verify that the consents collected prior to 25 May 2018 (the date of entry into force of the GDPR) comply with the conditions of the new GDPR regulation. If these are not compliant, they must be collected again.
New features of privacy consent according to the GDPR
The new GDPR Regulation (Article 4) establishes that consent means any manifestation of the user’s free, informed, specific and unequivocal will with which the latter authorizes the processing of their data. This manifestation of the will must come about through an unequivocal positive statement or action.
|FEATURES OF CONSENT|
|FREE||IT MUST BE GIVEN FREELY WITHOUT INTIMIDATION OR FRAMING|
|SPECIFIC||IT IS NOT VALID IF LOANED IN A GENERIC WAY|
|INFORMED||THE INTERESTED PARTY MUST KNOW WHICH DATA WILL BE PROCESSED|
|UNEQUALABLE||IT MUST BE SUCH AS TO EXCLUDE ANY UNCERTAINTY OR DOUBT|
|EXPLICIT||MANIFESTED TO ES. THROUGH THE FILLING IN BY THE USER OF AN ELECTRONIC FORM|
|VERIFIABLE||THE HOLDER MUST KEEP TRACK OF ALL CONSENT|
|REVOCABLE||IT IS POSSIBLE TO REVOKE IT AT ANY TIME|
How to create privacy documents updated to the GDPR?
You can customize and immediately download all the documents necessary to properly inform users by simply answering a few guided questions:
- Register of personal data processing
In addition, our GDPR Websites Adjustment Consultancy allows you to adapt your site or app to all the necessary obligations provided for by the new European privacy regulation. Through a specific analysis we will show you the necessary steps to put all aspects of your site in order to comply with the GDPR and avoid penalties.