The consent of a data subject – an individual such as a customer – has so far been one of the lawful grounds for data processing. With Latvia required to fully pass the General Data Protection Regulation into its national law by May 2018, companies processing personal data will have to make an effort to ensure their data processing is lawful. This includes evaluating whether data processing by consent is done in accordance with the Regulation to avoid potentially large fines and build customer trust.
Applicability of the Regulation
The requirements of the Regulation cover every entity that processes any personal data in an EU member state or the data of people residing in the EU. Personal data is taken to mean any information relating to an identified or identifiable individual. Companies should therefore review their procedures for processing customer data as well as employee data.
Conditions for the lawful consent of a data subject
Under the current Latvian rules and the new Regulation, the consent of a data subject is one of the lawful grounds for data processing. Compared to the Data Protection Directive, which forms the basis for the current Latvian rules, the new Regulation clarifies the conditions for the lawful consent of a data subject to minimise the scope for interpretation in companies across the EU.
The Regulation lays down the following conditions for treating consent as lawfully received and binding:
-
Consent should be unambiguous, given to a particular purpose of data processing, and distinctly separated from other matters. The data subject should be treated as a consumer, and information about data processing should be provided in clear and simple terms.
-
The company should be able to demonstrate that the data subject has consented to having their data processed, and so in all cases of written consent, the consent should be documented (e.g. in the form of a contract or an email). Where consent has been given electronically (e.g. by checking a box) the company should ensure that the metadata indicating that is stored on the system.
-
Consent should be given freely. If the data subject doesn't consent to data processing on the basis of consent, this should not affect performance of their original contract.
-
The data subject may revoke their consent at any time. The data subject should be given the opportunity to exercise the right of revocation without hindrance.
Since the consent of a data subject may be revoked at any time, the company should evaluate whether they are able to process data on some other lawful grounds, for example, if data processing is prescribed by law or necessary for entering into or performing a contract between the data subject and the company.
The data processing compliance requirement
Although compliance with the Personal Data Protection Act has been a precondition for data processing, the new Regulation reinforces the rights and obligations of the National Data Office to supervise data protection, including a fine of up to 4% of the company's annual revenue or a ban on data processing in the event of a breach. These matters have taken on topicality in the mass media, and so ignoring the data protection requirements may result in the company may lose its reputation and customers.
Recommendations for compliant data processing
The first step in any company would be to identify data processing activities, identifying types of data and purposes of processing, parties concerned (employees and third parties) and lawful grounds in order to evaluate more accurately whether the data processing system is compliant. Since the Regulation imposes a number of data protection requirements, we recommend seeking the advice of a certified data protection expert who can assess how data processing in your company complies with the requirements of the Regulation.
