To comply with the GDPR articles 5 and 6 you need to have a ‘legal basis’ for the collection, storage and processing of personal data. There are some fundamental ways to demonstrate a legal basis for the collection and processing of such data;
- You have explicitly gained the consent of the data subject to hold and process their personal information. This consent must be actively given – it is not sufficient to notify them and allow them to proceed without actively ticking a box or in some other way acknowledging the request. When obtaining consent, the purpose for which the data is being collected and the way it will be processed must be explained in clear and simple terms. You must be able to provide evidence of this consent.
- You have a legitimate reason to hold and process personal information. For example, if you have provided (or the individual has applied for) a loan facility to someone, then you have a legal basis (sometimes called a legitimate interest) to hold contact information and details of the loan, repayments and the financial status of the individual.
- You may have a legal obligation to collect and process personal data. For example, if the person is an employee, you have a legal obligation to record and process payroll information and report details to HMRC. As you are legally bound to do this, you do not require the explicit consent of the individual to do this.
You may have read in the press or seen on online media sources about the ‘right to be forgotten’. In principle, a person (a Data Subject) can withdraw their consent for you to store and process their personal details. There are exceptions to this though and the right to be forgotten isn’t automatic. In the example of a person that has taken out a loan, they have no right to have these details removed from a database as the information is pursuant to fulfilling a contract. If they are also receiving a newsletter however, they are entitled to withdraw their consent for this use (and you should have gained explicit active consent for this as well). Any legal obligation will also disallow the withdrawing of consent or the deletion if personal data.
An important note on consent: If the person giving consent is under the age of sixteen, then the legal parent or guardian must provide consent on behalf of the child. This is under article 8 of the GDPR and would suggest that any statement made pertaining to consent should also be a declaration of the person being over the age of 16. Individual countries may choose to lower this age but not lower than 13.