In December 2017, the Article 29 Working Party launched a set of guidelines on consent as a valid basis for processing personal data. These guidelines have now been issued in their final form
In December 2017, the Article 29 Working Party (A29 WP), which consists of members from the individual national European data protection agencies, launched a consultation on its draft guidelines regarding consent. The intention of the guidelines is to contribute to answering when consent constitutes a lawful basis for data processing pursuant to the General Data Protection Regulation.
23 January 2018 was the deadline for submitting responses to the guidelines. Now the guidelines have been issued in their final form and they are available here .
As regards consent as basis for data processing in the employment context, no changes have been made compared to the draft guidelines which the A29 WP sent out for consultation. The A29 WP still holds the opinion that using consent as a valid basis for data processing in the employment context can be problematic. With regard to Denmark, according to the draft Bill on data protection consent as a lawful basis for data processing will still apply to the same extent as hitherto. We described this in a commentary when a consultation was launched on the guidelines. Our commentary is available here (in Danish).
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.