Withdrawal of consent and third-party disclosure

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Julian Silverthorne, Jan 8, 2018.

  1. Julian Silverthorne

    Julian Silverthorne UKBF Newcomer Free Member

    5 0
    Morning everyone

    I'm a BA working on a GDPR project, and frantically trying to get up to speed on the fundamentals of the legislation, to understand its impact on our current business model.

    I have a question around the area of responsibility when a data subject withdraws a previously-granted consent. Scenario: a customer creates an account with my organisation gives explicit consent during sign-up, for us to share specific personal information with a third-party, so that the third-party may contact them to offer further services. At a later date, the customer then withdraws all consent for us to use their information.

    Is it my organisation's responsibility to contact the third-party and instruct them to remove the customer's personal information from their systems, or does the customer have to contact the third-party directly and declare the same withdrawal of consent?

    Similarly, if we have shared, with consent, personal information about one of our customers with a third-party by way of a fixed-format report, if the customer withdraws consent, does that mean that the third-party has to delete any report they hold containing the customer's personal information (or obfuscate it)?
     
    Posted: Jan 8, 2018 By: Julian Silverthorne Member since: Jan 5, 2018
    #1
  2. fisicx

    fisicx It's Major Clanger! Staff Member

    29,194 8,617
    Posted: Jan 8, 2018 By: fisicx Member since: Sep 12, 2006
    #2
  3. Julian Silverthorne

    Julian Silverthorne UKBF Newcomer Free Member

    5 0
    Thanks for your reply, yes, I understood that there is a requirement to disclose the details of the third-parties at the point of request for consent.

    So I am presuming then that the third-party has to provide us with the necessary evidence of compliance with the customer's withdrawal request, so that we can pass this on to our customer along with our own proof of compliance?
     
    Posted: Jan 8, 2018 By: Julian Silverthorne Member since: Jan 5, 2018
    #3
  4. fisicx

    fisicx It's Major Clanger! Staff Member

    29,194 8,617
    yes

    Or better still, don't pass on the details to third parties.
     
    Posted: Jan 8, 2018 By: fisicx Member since: Sep 12, 2006
    #4
  5. Julian Silverthorne

    Julian Silverthorne UKBF Newcomer Free Member

    5 0
    That's great, thank you for the clarification.
     
    Posted: Jan 8, 2018 By: Julian Silverthorne Member since: Jan 5, 2018
    #5
  6. andyrooz

    andyrooz UKBF Newcomer Free Member

    1 0
    There's no such thing as a daft question they say.... here goes: I'm assuming that name and address information we pass to a courier, or Royal Mail, electronically is in scope here and, as part of our PIA we need to be exploring the retention of these data and how we can extend consent withdrawal to them?
     
    Posted: Jan 8, 2018 By: andyrooz Member since: Jan 8, 2018
    #6
  7. Julian Silverthorne

    Julian Silverthorne UKBF Newcomer Free Member

    5 0
    I would say yes they are in scope. However... assuming that the information you pass on is essential for the fulfillment of an order (or similar) between you and your customer (e.g. you need the courier to deliver the goods ordered from you by your customer, so you share their name and delivery address), then this wouldn't necessarily require consent, but would be covered by the "contract" lawful basis. In other words, you wouldn't be able to fulfill the order without doing so, and any reasonable person should expect this information to be shared for this purpose. Whether or not you still have to declare the third-party interest to your customer in your privacy policy or not I'm not sure about.

    Unless you have a separate consent from the customer to also use their information for marketing or similar purposes, and the customer has not created an account with you (and given consent), it would be reasonable to assume that once the order has been completed, you will remove / anonymise their personal information (except where legally obliged to retain the data).
     
    Posted: Jan 8, 2018 By: Julian Silverthorne Member since: Jan 5, 2018
    #7
  8. Julian Silverthorne

    Julian Silverthorne UKBF Newcomer Free Member

    5 0
    Another thought - if I am correct in thinking that GDPR regs apply only to B2C relations and not B2B, how do companies ensure that any information provided to third parties is used only for the purposes for which it is intended and supplied, and not for anything else? To use your example, if you pass a customer's name and address to a courier for the delivery of an order, how do you ensure that they don't send the customer unsolicited postal marketing in the future?
     
    Posted: Jan 8, 2018 By: Julian Silverthorne Member since: Jan 5, 2018
    #8
  9. Andrew Smith Corpdata

    Andrew Smith Corpdata UKBF Newcomer Free Member

    10 6
    GDPR applies to B2B too.
    You "ensure that they dont send the customer unsolicited postal marketing" by having a contract with the Processor that precludes them from doing so. You have to be able to prove to the ICO / Judge that you are "In no way responsible" for a breach - if you have a contract but your processor breaks it then it is looking a lot LESS at fault (apart from maybe inadequate due diligence in seletcing that processor). Check article 28.3 for the details of what is obliged to be covered by the contract.
     
    Posted: Jan 12, 2018 By: Andrew Smith Corpdata Member since: Jan 12, 2018
    #9