GDPR consent

[alistairm]

I've been reading various information on gdpr and am a little confused with implied consent, legitimate interests, needing consent, not needing consent etc. I was thinking I'm going to have to add tick boxes on all my forms but am not so sure now.

An example is that I supply a service. Let's assume I provide mortgage advice (I don't). A visitor comes to my website and wants to book a telephone consultation. There's a form where they can enter their details such as name, email and phone number. Email is for back up in case they enter the wrong phone number like missing out a digit for example. Would I need a tick box on the form to get their consent in then calling or emailing them if this is basically what they have requested by filling the form in? Or would you only need to get consent if you were to want to offer other services etc.

I've read a few things about storing data and that if the data isn't stored you don't need consent anyway (whether that's right or wrong I don't know), but if their booking request with their data is sent to my email address rather than a database doesn't this still count as being stored?

 

[Brandspeak]

If you have a form saying "please fill out your details for a call back" when they filled out the form that would be implied consent.

If you were then going to use that info to send a newsletter then you would need explicit consent for that in the form of a tick box and you would also need to store that consent had been given to do that, against the data you have collected.

If you were also going to pass that data to a third party for processing you would need another tick box to say that they agree to that.

Your privacy statement also needs to be separate from your standards T&Cs.

 

[alistairm]

Ok thanks both, that has helped somewhat.

 

[Alan]

If you have a form saying "please fill out your details for a call back" when they filled out the form that would be implied consent.

Close but no cigar ... it would be contract - from the ICO site "
At a glance

• You can rely on this lawful basis if you need to process someone’s personal data:
  • to fulfil your contractual obligations to them; or
  • because they have asked you to do something before entering into a contract (eg provide a quote).
• The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply.
• You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning."
  
  
  You don't need a check box, unless of course you also later want to send them marketing in addition to getting back to them. In which case teh check box needs to state clearly what extra they are signing up for.
  
  

 

[Alan]

I've read a few things about storing data and that if the data isn't stored you don't need consent anyway (whether that's right or wrong I don't know), but if their booking request with their data is sent to my email address rather than a database doesn't this still count as being stored?

Yes.

The only situation I can think of where it doesn't apply is where they phone you, the phone call is not recorded, they give you some personal details but you don't write them down - but why would any business do that, I can't think?

Read up on the 6 lawful ways of processing data - consent is only one way - and mainly applies to marketing - the other 5 should in the main be your 'permission' to process ( store ) personal data.

https://ico.org.uk/for-organisation...-regulation-gdpr/lawful-basis-for-processing/

For instance - the ICO deputy commissioner explicilty said on Radio 5 Live - that GP surgeries DONT have to text their current patients asking is they still want texts for their appointments - despite this my surgery did.

 

[Brandspeak]

Close but no cigar ... it would be contract - from the ICO site "
At a glance

• You can rely on this lawful basis if you need to process someone’s personal data:
  • to fulfil your contractual obligations to them; or
  • because they have asked you to do something before entering into a contract (eg provide a quote).
• The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply.
• You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning."
  
  
  You don't need a check box, unless of course you also later want to send them marketing in addition to getting back to them. In which case teh check box needs to state clearly what extra they are signing up for.
  

Yes you would have to justify that the information requested was necessary to fulfil the respondents request. But having a field for an email address on a news letter form asking somebody to enter their email to get a copy of your newsletter would be implied consent and would be OK under GDPR; assuming that you were not going to process it in any other way.

Thank you for clarifying @Alan