For processing in the social domain, consent to process personal data is usually not required. If there is a basis for processing personal data, there is no need to ask for consent.
If your organization must seek consent to process personal data, the format of the document to be signed or through an opt-in will need to meet certain criteria.
If, as a caregiver, one needs the consent of the data subject on the grounds of breach of confidentiality, the following points may assist in formatting the document.
What should be in the consent?
- The nature of the personal data to be processed.
Eg: name, first name, e-mail address,….
Here we must adhere to data minimization which means that redundant data should not be requested.
- Data Controller.
This is the person with whom there will be communication regarding privacy rules.
- What is the purpose of the processing?
Why do we process personal data and how much personal data is it?
- Who does what personal data belong to?
There must be an enumeration of the personal data to be processed.
- Who is the recipient of personal data?
Will your organization further process this data and are there any other recipients not known to the data subject or will this data be resold?
- Technical and organizational measures.
The organization must prove what measures they have taken to prevent as much data loss, theft or leakage as possible.
- What is the retention period?
Was the legal procedure applied or will the data be retained until consent is withdrawn?
- Data subjects’ rights.
Keep in mind rights of access or rights of rectification, objection, oblivion, portability and also regarding notification to data subjects.
- Where should one go for complaints?
Describe clearly where to go for complaints and also specify the address of the national authority.
- The Consent.
Specify the personal data for which consent is sought where the data subject also certifies that the consent was given.
Take the test to know the extent to which your organization is already compliant with GDPR legislation.
So when do you ask for permission?
You can ask for the permission in several cases. The consent clause can be applied online and offline.
For example, you might ask permission to send a newsletter through a company’s website or a psychiatrist might ask permission to transfer medical records to an attending physician or you might want to post a photo of another person on social media.
As long as the permission is FREE!
The individual must have the choice of refusing consent or accepting it, and this cannot be done if;
- If an opt-out is not made available to the data subject,
- If consent is non-negotiable,
- If no separate consent is sought for other personal data to be processed,
- If the refusal is detrimental to the individual,
- If there is a bad relationship between the processing and the person involved.
Consent must be clearly informed!
The data subject must know well what he or she is giving consent for, and this can only be done if it is communicated correctly, completely and in understandable written language.
It may also be that you do not obtain the personal data to be processed directly from the data subject themselves but through a third party, you are required to communicate that information to the data subject within a reasonable time.
The permission must be specific!
The data subject, customer or patient should be aware of the purpose of the processing and if it is multiple purposes should have the ability to give consent on each item separately.
The consent must be unambiguous!
Thus, the data subject should not be fooled by clever actions of the processor and there should be no ambiguity about giving consent.
What can’t be done with consent?
- Via a website already offering checkboxes checked by default
- That one must uncheck boxes to refuse permission
- Stating that we collect Cookies without more explanation
What is the period of validity of the consent?
The period of validity of consent given depends mainly on the purpose for which the consent was given in the first place and does not really have a specific legal duration recited by law.
It is up to the data controller to check whether there is still sufficient legal basis for retaining certain personal data, and the data subject must be able to unsubscribe (opt-out) as easily as he or she has been able to register (opt-in).
