We've asked The Romanian Data Protection Authority about GDPR in online processing...
In the past few months we’ve heard tons of opinions and interpretations of the new European regulation. Everyone seems to have a different view. ⊕
Some chose implicit consent, others went for the soft opt-in, whilst others spent loads of money on consent tools that don’t get the job done (mainly because they don’t reflect the law).
And since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say:
"Consent should cover all processing activities carried out for the same purpose or purposes. […] When the processing has multiple purposes, consent should be given for all of them."
It seems like it’s not about cookies or cookie types, right? Pay attention to all those solutions out there managing cookie consent, as the right approach is towards processing purposes and all the activities corresponding those purposes.
Data subject’s consent means “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
If you use tracking technologies, you might as well forget about implicit consent (also known as “by continuing to use this website you agree…”). It goes the same for soft opt-in (not getting consent explicitly from your users but giving them the possibility to opt-out if they don’t agree), as this implies that you start processing by default and you only give your users the right to object. Get valid consent.
“Controllers seeking to rely upon consent as a basis for profiling will need to show that data subjects understand exactly what they are consenting to.”
So if you process your users’ data for profiling purposes you should make this clear when asking consent. You should also provide relevant and intelligible information regarding the profiling process and how your users will be affected by it.
“In all cases, data subjects should have enough relevant information about the envisaged use and consequences of the processing to ensure that any consent they provide represents an informed choice.”
Not providing enough relevant information could pe perceived as an infringement of the user’s right to be informed. Also, the definition of “valid consent” implies that the user has been previously informed and knows what he/ she is agreeing to. Not providing enough info can make your consent invalid or inappropriate. And there are huge fines for this.
“Fines up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, can be imposed if there has been an infringement of the basic principles for processing, including conditions for consent.”
Seems like not respecting the conditions for consent (including relying on invalid or inappropriate consent) could also lead to these huge fines. It’s not just those Cambridge Analytica type of massive data breaches that can get you penalties. Stay safe and get yourself a true Consent Manager.
“Regarding website owners and entities that implement marketing campaigns using data collected from those websites […], the data controller is the person that, alone or jointly with others, determines the purposes and means of the processing of personal data. Therefore […], it is necessary that you establish the roles of each entity involved in the data processing”.
Again, properly informing your users is a must. They should know, for each processing flow, what data is being processed, who is are the responsible entities, who can access their data and for what purpose, who can benefit of it and for how long etc. Controllers, processors, other recipients/ beneficiaries should all be part of the data processing trail that you should properly describe to your users when asking for consent.
“In the case when the service provider allows third parties to access or store user information, the information […] should include the general purpose for which third parties are processing that data and the means by which the subscriber or the user can […] delete the stored information or refuse third parties’ access to that information.”
Make sure you respect your users’ rights. Give them the possibility to access and delete their personal data, as well as to block third parties from processing their data. For instance, not every consent tool can provide a full list of cookies, the ability to delete them anytime or instantly block different applications from running on a website. We do.
“Controllers who choose to rely on consent must be able to demonstrate that the data subjects have expressed consent for the processing of their personal data.”
When you rely on explicit consent as a legal ground for your processing operations, you should make sure that you safely store all consent records into a safe system (as the controller must always be able to prove that a user has consented). Learn more about how you can store consent logs, so you can be prepared for any control from your local authority.