New data processing consent required under GDPR?
The new EU General Data Protection Regulation (GDPR) is knocking on our door. Although the new rules are only to be followed from May 2018, due to the complexity of implementation a number of companies have started to prepare for them already. In this respect, guidelines prepared by the Article 29 Working Party or recommendations published by individual national regulators may be helpful: for instance, the British supervisory authority recently published recommendations on the consent to data processing.
As does nearly any new regulation, the General Data Protection Regulation (GDPR) contains a number of ambiguities that are waiting to be interpreted. The first major interpretation guideline was presented in December of last year by the working party under Article 29 of Directive 95/46/EC (WP29), an independent advisory body composed of representatives of national regulators.
So far, WP29 has prepared and published guidelines on the new right to data portability; however, due to the high number of comments raised within the public consultation procedure, this document will be amended in the near future. WP29 also presented guidelines on data protection officers, as the duty to install data protection officers is a novelty for data controllers in many member states, including the Czech Republic. Finally yet importantly, the working party issued guidelines for identifying a lead supervisory authority, connected with the effort to implement a “one-stop-shop” system regarding supervisory authorities of individual member states in cases involving cross-border data processing.
As the regulation has a direct binding effect on all EU member states, personal data protection practices are bound to gradually be unified across the EU. Hence, Czech data controllers will have to listen not only to the interpretation standpoints of the Czech Personal Data Protection Office, but also to those of other European regulators. In this respect, please note that the British supervisory authority recently published its recommendation on the consent to personal data processing: importantly, it confirms an opinion voiced so far only very quietly, i.e., that consent will have to be obtained separately for each purpose and manner of processing – this approach has not been common practice so far. In this respect, the recommendation also contains an important warning that previously obtained consent not in compliance with the GDPR’s high standards will have to be obtained again – otherwise, personal data cannot be processed. It is thus advisable to adapt any existing consents to the GDPR requirements as soon as possible, so that it will not be necessary to obtain consent from new clients again after the GDPR’s effective date. If you are interested in a consultation on the GDPR, please contact us.