GDPR Q&A: Understanding consent

Over the past year, we’ve been running a webinar series on the EU General Data Protection Regulation (GDPR). Each webinar is intended to help you better understand a particular topic, and at the end of the webinar the presenter answers your questions.

One topic that we continue to cover, and which you continue to ask about, is consent. It’s one of the trickiest parts of the Regulation to understand, so we’ve collated some of our experts’ answers here.

We will cover two more sets of FAQs in the next two weeks.

Q: How and what do we need to get consent from employees?

A: Under the GDPR, consent must be specific, informed and freely given. Generally speaking, consent in an employment context is not considered freely given due to the imbalance of power between the employer and employee.

This means that employers need to seek an alternate legal ground to process employee data. The most appropriate grounds will usually be contractual necessity, a legal obligation, or the legitimate interests of the employer.

Q: Will the legitimate interests condition allow companies to continue processing soft opt-in data collected pre-GDPR without having to reconfirm consent?

A: Yes. If the data was collected before 25 May 2018, the organisation needs to have a lawful basis for processing it. This could be a different basis from the one it was originally collected for.

Q: Will we be required to change current employees’ contracts?

A: Where you’re processing personal data of employees, you will need to provide them with more detailed information as to the purposes and means of this processing, and it must be explained in clear and intelligible terms. This will most likely need to be included in all relevant employment contracts in order to demonstrate compliance, but you should confirm this with your legal advisors.

Q: Will consent questions be necessary on website contact forms where a person/company is simply requesting further info or a call back?

A: If you’re asking for personal data for any reason, you need to get consent.

Q: Is it acceptable to have a checkbox that says “may we contact you in the future for other items you might be interested in”?

A: This is probably okay, but, as with all such issues, you should obtain and follow the specific advice of legal advisors.

Q: Do existing ‘contractual rights’ still override the GDPR rules? For example, if a customer consented to us having their data for the purpose we requested and then attempted to use the new legislation to remove this, could we hold them to the original agreement?

A: There are two aspects to this answer. First, if you’re only using the data for the purposes that you collected it, and you are compliant with all other aspects of the legislation, then the processing will be lawful under the GDPR.

Secondly, it is important to remember that consent can always be withdrawn – and the Regulation mandates that consent must be as easy to withdraw as it is to give. If the customer no longer consents to you using the data for the purposes you collected it, then you must respect the customer’s wishes. This applies unless you can prove that the processing is based on compelling legitimate grounds that override the interests, rights and freedoms of the individual, or if the processing is for the establishment, exercise or defence of legal claims.

Q: What is the difference between principles 1 and 2 of the GDPR?

A: The first principle means that you must have appropriate legal grounds for processing the data and that you do it in a transparent manner. The second principle says that you must only collect data for a specific purpose and use it only for that purpose.

Watch our webinars to find out more

For more information about obtaining consent under the GDPR, you should take a look at our webinar series. Some of the most appropriate webinars to get started with are: