The EU General Data Protection Regulation will enter into force in the not too distant future, and the fourth set of guidelines on the GDPR has therefore been issued.
The Danish Data Protection Agency and the Danish Ministry of Justice recently issued their fourth set of guidelines on the GDPR. This time, the guidelines concern processing consent.
The GDPR introduces stricter rules on consent by listing several specific conditions for when consent is a valid basis for processing. In addition, additional requirements are introduced with regard to the documentation required to show that valid consent has been obtained.
The guidelines may serve as a guide for when valid consent has been obtained and what the consequences will be if consent is withdrawn. Moreover, the last part of the guidelines contains a check list which may be used to check that all conditions have been satisfied. The guidelines involve the Bill that was recently introduced in the Danish Parliament to supplement the provisions of the GDPR, which proposes among other things to allow processing of employee data based on the employee’s consent.
The guidelines are available here (in Danish).
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.