One of the most significant changes with the implementation of new GDPR is the manner to obtain the consent to use the personal data of the customers.
Now, the manner to ask for the consent must be clear and unambiguous and there must be an action or statement by users to confirm that yes, we are giving our consent.
What is consent?
The Regulation defines consent in Article 4.11:
“‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Unethical or explicit practices will be prohibited, such as pre-ticked boxes on forms or phrases that are too complicated and whose sole objective is to disorient us, so that we accept any condition.
Some suggested methods are that the boxes that are not marked by default in the digital or paper forms ask your clients to select between equally notable YES/NO options or the signing of consent statements on paper.
The consents obtained prior to the date of GDPR implementation – 25 May 2018 – will only remain valid if they were obtained respecting the criteria set by the Regulation itself. That is, when they are unambiguous consents (through a statement or a clear affirmative act), but also verifiable.
In section 32, the GDPR establishes the following about the statement or affirmative clear act:
“This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
It is clear therefore that the tacit consent will not be valid as of 25 May 2018 and therefore, the controller cannot continue processing the data of this individual based on this type of legitimation.
In addition, based on the Spanish Law 34/2002 of Information Society Services, the consent has a lifetime of 5 years, with which if these data have not been processed, it will be necessary to request the said consent again. Based on data protection, in order to offer services similar to the main activity or contractual relationship with the controller, the said consent will always be maintained until its revocation by the party concerned.
So, in what case is it mandatory to request consent of our existing database again?
The main reason for requesting consent from your users again is that you have not saved any physical or digital evidence that shows that each of them has freely accepted being a part of your database.
In addition, it is not mandatory, but it is advisable to ask again for consent if you have never used your database to communicate with your clients or if you have not done so for a long time.
If you need help to manage the GDPR of your clients, we can help you at Pridatect. Contact us!