(GDPR) — Do You Really Need That Explicit Consent?

Do you really need that explicit consent?

No! here’s the thing — consent is just one of the 6 lawful bases to comply with.

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public Task
  6. Legitimate Interests

Is Legitimate Interests a GDPR gift?

Legitimate interests are simply the benefits you may gain by processing the data; you need to keep in mind that those benefits shouldn’t override the basic rights of the data subject.

  • You need to identify a legitimate interest
  • Deduce that processing is necessary to achieve your interests
  • Balance it against a data subject’s interests, rights and freedom

Some examples of how not to do it and how to do it the right way!

Example #1 — Facebook:

Facebook has already been in the news for breaching and compromising data on several occasions and still their privacy policy is something you should strictly keep in mind to not get into trouble:

Example #2 — Google:

Okay what about the godfather, how are they being transparent about ‘their’ way of handling and processing data, let’s check it out:

Type caption (optional)

Example #3 — Twitter:

Twitter does an impressive job on this aspect, to be honest, they show a table that contains a lot of the general purposes for which they process personal data from the EU and the primary legal basis they follow.

Example #4 — Amnesty International UK

Amnesty International UK takes a very different and good approach in giving examples of the different legal bases they follow:

Type caption (optional)

On a final note:

Let’s face it.

  • If your marketing plan doesn’t use additional data analytics to do profiling, then you can get away with legitimate interests as your lawful basis for processing data under GDPR and a no consent approach or soft opt-in or opt-out procedure as your lawful basis for performing marketing under PECR/e-Privacy Regulation, provided you always give them an option to unsubscribe. Here you must make sure to send only generalised marketing campaigns.
  • If your marketing plan uses profiling, segmentation and dynamic content for re-marketing purposes, then you can still get away with legitimate interests as your lawful basis for processing data under GDPR, provided you have clearly set the expectation during the sign-up process and provide a link to a multi-layered privacy notice.
    Additionally, you will need consent to serve these cookie and ad analytical tools to be compliant under PECR/ e-Privacy Regulation.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store