Now that we`ve covered what consent is, let`s determine whether or not your company should use consent as a legal basis for data processing. There are five other legal reasons that might end up being more specific: Here are some other examples of opt-in formulations you can use in your marketing consent request: Zachary Paruch is a product manager and legal analyst at Termly, where he helps develop legal policy software for small businesses. It has been featured in HuffPost, CMS Wire, AllBusiness.com, Ecwid, Simple Programmer, Credit Karma and much, much more. Even if the opt-in action, formulation and placement of your consent request perfectly meets the requirements of the GDPR, obtaining consent is only half the battle. According to the GDPR, you should also make sure to keep a detailed record of your users` consent. Drafting a privacy policy is one of the most important legal obligations under the GDPR. To make sure it meets strict EU standards, be sure to provide the following: Deciding exactly how to set up your consent request is arguably the hardest part of complying with the consent requirements of the GDPR. Of course, you now know the definition of consent as well as the different requirements to obtain it legally, but how can you put everything into practice on your own websites and apps? Privacy notices should avoid using qualifiers such as “may, “could”, “some”, “often”, etc., as they are intentionally vague. Writing should be at active time and sentences and paragraphs should be well structured, using bullet points to highlight certain points. Avoid unnecessarily legalistic and technical terminology. In accordance with Article 12 of the GDPR, your privacy policy must be written in clear and accessible language. Therefore, you should do your best to avoid using legal terminology whenever possible.
Again, the wording is simple and clearly presents the situation for former subscribers. Users receive details about what is included in newsletters, how often they are sent and how recipients can unsubscribe. Make sure you know your legal basis (or is) and disclose it. Here you can see the differences between writing in legal language and writing with a common voice, which is much easier to understand. The GDPR only allows you to process personal data on one of the six legal (or “lawful”) bases. You may not process any personal data unless you have found a good legal justification for doing so. Companies should assess each point at which they collect and use personal data, and then determine whether it falls under one of the legal bases for data collection and processing: ✓ They are required by law: Privacy policies are required by law when you collect or use personal data. Your privacy policy should include details of your legal bases for processing.
Under GDPR, consent requests and privacy policies can no longer be filled with legal language that only a lawyer can understand. Learn more about what legal language is and how to avoid it. There is another legal basis that is more appropriate to apply your data processing Email from Litmus is a great template for an email reauthorization campaign. The wording is light, friendly and direct to the point. The user displays a clear list of what they will receive when they log in again and how they can log out at any time. If you use “consent” as the legal basis, you must provide a reference to your users` right to withdraw their consent. Here`s how Sharp does it: In general, privacy policies should be actively drafted and avoid unnecessary legal and technical terminology. If your data collection practices do not meet any of the above conditions, they are not legal under the GDPR and your business will be subject to hefty fines. For the purposes of this article, we focus on consent as the legal basis for data processing. However, we will discuss the five alternatives towards the end in case you are curious.
Before delving deeper into consent, it is important to point out that Article 6 of the GDPR states that the collection and use of user data is only lawful if it meets at least one of the six legal bases. The GDPR states that you can only keep personal data for as long as the legal basis for the processing is applicable. The other 5 legal bases (legal obligation, contractual necessity, etc.) do not apply to your data processing activities If your legal basis is “contract”, you must inform individuals of what happens if they do not provide you with the personal data you need to perform a contract. Here`s how budget does it: A privacy policy is the way for your business to show your customers that you can familiarize yourself with their personal information. It`s also an opportunity to really look at how much personal data your company controls and whether your privacy practices comply with the law. As already mentioned in the first section, it is possible that consent is not the best justification for the collection and processing of your data. So, before you decide to start implementing consent request strategies for your data collection and processing practices, you should consider the other legal bases provided by the GDPR. Similarly, organisations that process data on the basis of a legal obligation to perform a public task or a vital interest should retain the data for as long as those processing activities are relevant. Privacy notices are a legal obligation under the GDPR to ensure that individuals are aware of how their personal data is being processed. As mentioned earlier, consent must be specific and informed.
This means that the opt-in formulation of your consent request or your right to form is absolutely essential. You can transmit personal data under the GDPR as long as you are transparent in this regard and have a valid legal basis. Your privacy policy should include details. Some companies associate their legal bases with the types of personal data they process and the reasons why they process personal data. Here`s how Pint of Science does it: Dynamic IP addresses, for example, have been classified as personal data by the EU`s highest court. This is because a dynamic IP address can theoretically be combined with other information to identify a person. Some cookies are also eligible. In the footer of each promotional email you send, add an option to unsubscribe from receiving emails. Ideally, users should also have the option to manage their email settings in their account.
It`s a good idea to let users know that they should periodically review your privacy policy to stay informed of changes that aren`t important and to see how their information is currently being handled. The bold words above are essential to ensure that the user`s consent is legitimately obtained, but what exactly do they mean? Implied consent can exist in a relationship between a customer and a business.