Content deleted Content added
Maksiwood 2 (talk | contribs) |
|||
Line 55:
If informed ''consent''<ref name="32016R0679"/>{{rp|Art. 4(11)}} is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for.<ref name="32016R0679"/>{{rp|Art. 7}} Consent must be a specific, freely given, plainly worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of processing may not be "bundled" together into a single affirmation prompt, as this is not specific to each use of data, and the individual permissions are not freely given. (Recital 32).
Data subjects must be allowed to withdraw this consent at any time, and the process of doing so must not be harder than it was to opt in.<ref name="32016R0679"/>{{rp|Art. 7(3)}} A data controller may not refuse service to users who decline consent to processing that is not strictly necessary in order to use the service.<ref name="32016R0679"/>{{rp|Art. 8}} Consent for children, defined in the regulation as being less than 16 years old (although with the option for member states to individually make it as low as 13 years old), must be given by the child's parent or custodian, and verifiable.<ref>{{Cite web|url=https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/|title=Age of consent in the GDPR: updated mapping|website=iapp.org|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180527023437/https://iapp.org/resources/article/age-of-consent-in-the-gdpr-updated-mapping/|archive-date=27 May 2018|url-status=dead}}</ref><ref name="privacy association">[https://www.privacyassociation.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf "How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide"] {{Webarchive|url=https://web.archive.org/web/20210217012511/https://iapp.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf |date=17 February 2021 }}. Judy Schmitt, Florian Stahl. 11 October 2012. Retrieved 3 January 2013.</ref>
If consent to processing was already provided under the Data Protection Directive, a data controller does not have to re-obtain consent if the processing is documented and obtained in compliance with the GDPR's requirements (Recital 171).<ref name="guardian-unneeded"/><ref>{{Cite journal|last1=Kamleitner|first1=Bernadette|last2=Mitchell|first2=Vince|date=2019-10-01|title=Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements|journal=Journal of Public Policy & Marketing|language=en|volume=38|issue=4|pages=433–450|doi=10.1177/0743915619858924|s2cid=201343307|issn=0743-9156|doi-access=free}}</ref>
| |||