Step 2 of 4•8 minutes read
The main principle of GDPR is that anyone wishing to process or store the data of others requires consent from the data subject to process their information. In gathering the consent, the following must be taken into consideration:
Consent must be given freely, be specific, informed and unambiguous.
Requests for consent must be distinguishable from any other matter and presented in very clear and plain language.
Subjects can withdraw previously given consent whenever they want and the organisation needs to honour their decisions.
Children under thirteen can give consense only with permission from their parents.
Documentary evidence of consent must be kept.
When asking for consent, the data subject must be notified about the personal identity that will be processing the data, what kind of data will be processed, how the data will be used and the purpose of the processing operations.
GDPR legislation describes several situations for processing the data with and without the consent of a data subject.
The data controller or processor can process personal data from a data subject if:
The specific subject has given consent to the processing of their personal data for one or more specific purposes.
Processing is deemed necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract.
Processing is deemed necessary for compliance with a legal obligation to which the controller is subject
Processing is deemed necessary to protect the vital interests of the data subject or another natural person.
Processing is deemed necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.
Processing is deemed necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, particularly where the data subject is a child.
Personal data processing covers all the means employed to process personal data. This could take various forms such as:
You may be a data processor and a data subject at the same time and because of that, you need to respect both sides of the GDPR legislation. Each data subject has the right to privacy. This means that you have:
The right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, the right to object and all rights with automated decision-making and profiling.
Never forget, at any time, you have the right to withdraw your consent!
However, in some circumstances, the data controller or better said, their organisation, isn't obliged to do so if:
Of course, there are several exceptions when GDPR is not applicable. It does not apply if:
The data subject is dead.
A data subject is a legal person.
The processing is done by a person acting for purposes that are outside their trade, business or profession.
Are you sure to perform this action?