The Institute of Continuous Professional Training and Education (ICPTE) offers an extensive variety of Self-Paced Online and Live Online seminars created by Professional and qualified Instructors with years of experience in their field.
ICPTE platform allows You the flexibility to watch online self-paced seminars at Your own convenience, at Your own pace, in Your own time and place. Start watching a seminar today and complete it at Your own time. You can have access from anywhere. All self-paced online seminars are in the form of PowerPoint presentations.
How to collect a valid Consent under GDPR
In 2016, the EU adopted the Regulation (EU) 2016/679 (General Data Protection Regulation {GDPR}). It replaces the 1995 Data Protection Directive (Directive 95/46/EC) which was adopted at a time when the internet was in its infancy. The GDPR was declared on the 27th of April 2016, allowing for a two-year transition period for organisations to comply. The GDPR came into force on the 25th of May 2018. The GDPR is now recognised as law across the EU.
Processing of personal data shall be lawful only if and to the extent that it is based on any of the six lawful bases provided under Article 6 of the GDPR.
One of the lawful bases for an organisation (controller) to process personal data is the collection of an individual’s Consent for the processing of his or her personal data for one or more specific purposes. The crucial role of Consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
The requirement to obtain the Consent of data subjects, where applicable, must not be considered as an ‘additional obligation’, but rather as preconditions for lawful processing.
What Consent of data subjects means?
Consent of data subjects means any freely given, specific, informed and unambiguous indication of the data subjects’ wish by which they, by a statement or by a clear affirmative action, signify agreement to the processing of their personal data.
An organisation must offer the choice to data subjects to accept or decline the terms for giving their Consent. Furthermore, the organisation must give the option to data subjects to withdraw their Consent anytime.
Even if an organisation has received the Consent of data subjects, this does not mean that the organisation may process the personal data collected for any purpose other than the specific purpose that it has collected the personal data.
Good practises to follow when collecting Consents:
✔️ The data subject “tick” a box when visiting a website.
✔️ The data subject “tick” a box when completing a paper form.
✔️ The data subject reply “Ok” or “Agree” by email to an email received from an organisation with the GDPR terms.
✔️ The data subject signs a “Consent Declaration” (paper form).
Practises to avoid when collecting Consents:
❌ Avoid using “pre-ticked” boxes on online forms or paper forms.
❌ Avoid considering as Consent received if a data subject has not replied to a request to agree to the GDPR terms.
❌ Avoid using opt-out actions. (e.g. informing data subjects that if they do not want the organisation to process their personal data “tick” here)
How to collect a valid Consent under GDPR?
There are three elements that describe how a valid Consent should be. The Consent must be:
a) Freely given,
b) Specific, and
c) Informed.
a) A “Freely given” Consent is a Consent that was given by the data subject having at the same time the choice NOT to provide his/her personal data, without having to suffer negative consequences. It indicates that the choice of the data subject to provide his/her personal data is real. A Consent is considered not to be “Freely given” if it is bundled up as a non-negotiable part of terms and conditions or if the data subject is unable to refuse or withdraw his or her Consent without suffer damage.
b) “Specific” means that the Consent is given for one or more specific purposes. The GDPR provides that the personal data shall be collected for specified, explicit and legitimate purpose(s) and not further processed in a manner that is incompatible with those purposes. Once the personal data are collected, they must not be further processed in a way incompatible with those purpose(s) that they have been collected. To collect a “Specific” Consent, an organisation should inform the data subjects for the specific purpose(s) that the personal data are collected.
c) “Informed” Consent means that the organisation has provided clear information to the data subjects about the processing of their personal data. Transparency is one of the fundamental principles of GDPR. Information must be provided to data subjects before obtaining their Consent. When providing the necessary information to data subjects, an organisation should avoid using complex terms and special words or expressions that are difficult for people, irrespective of their background, to understand.
Consent withdrawal
An organisation must inform data subjects, prior collecting their Consent, that the data subjects have the right to withdraw their Consent at any time. The withdrawal of Consent shall not affect the lawfulness of processing based on Consent before its withdrawal. Consent withdrawal process shall be as easy as to give Consent.
Receiving the Consent by a data subject is one of the six lawful bases to process personal data by an organisation. The request for Consent needs to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions. Silence or inactivity by data subjects on the request for Consent does not mean that the data subjects Consent to the processing of their personal data. An organisation should keep evidence of Consents collected in order always to be able to demonstrate compliance with the GDPR.
Click HERE to find online self-paced seminars on GDPR topics
