Obligation to provide evidence of valid consent
Posted: Mon Dec 23, 2024 4:55 am
Documentation obligation
Organizations have a documentation obligation. This means that they must be able to demonstrate with documents that they have taken the appropriate organizational and technical measures to comply with the GDPR.
Furthermore, organizations must be able to prove that they have received valid consent for the collection of personal data. In your contact file, you must therefore clearly state what the privacy status of each contact is, when, in what way it was obtained and for what exactly consent (if relevant) was given. And it must be just as easy for contacts or people to withdraw their consent as to give it.
Reducing privacy risks
Organizations are also asked to perform a privacy impact assessment (PIA) if the intended data processing entails a high privacy risk. For example, the large-scale processing of data, such as hk phone number race, religion or health data. The PIA is an instrument to map out the privacy risks of data processing in advance and then take measures to reduce the risks.
Additional rights
In addition to strengthening existing rights (described above), the GDPR gives people a number of additional rights:
The right to view, correct or delete your personal data
The right to request your personal data in an accessible format (e.g. Excel) and to transfer it to other organisations
The right to file a complaint with the Dutch Data Protection Authority about the way in which organizations handle personal data
This all sounds fairly straightforward, but it can be quite challenging for an organization. For example, completely removing a user from all systems of an organization is often not easy to achieve. In addition, your data management process must be very flexible, because contacts can ask to be forgotten one moment and then give their consent for the processing of their data again not much later.
Also read: What about employee privacy in the event of an epidemic or pandemic?
What does this mean for email marketing?
I work a lot with clients in e-commerce, who use e-mail marketing (including abandoned-cart mailings) to communicate with users of their webshop. They often ask me what the above means for them in concrete terms. With the new law, you are required to comply with the following 4 points.
Organizations have a documentation obligation. This means that they must be able to demonstrate with documents that they have taken the appropriate organizational and technical measures to comply with the GDPR.
Furthermore, organizations must be able to prove that they have received valid consent for the collection of personal data. In your contact file, you must therefore clearly state what the privacy status of each contact is, when, in what way it was obtained and for what exactly consent (if relevant) was given. And it must be just as easy for contacts or people to withdraw their consent as to give it.
Reducing privacy risks
Organizations are also asked to perform a privacy impact assessment (PIA) if the intended data processing entails a high privacy risk. For example, the large-scale processing of data, such as hk phone number race, religion or health data. The PIA is an instrument to map out the privacy risks of data processing in advance and then take measures to reduce the risks.
Additional rights
In addition to strengthening existing rights (described above), the GDPR gives people a number of additional rights:
The right to view, correct or delete your personal data
The right to request your personal data in an accessible format (e.g. Excel) and to transfer it to other organisations
The right to file a complaint with the Dutch Data Protection Authority about the way in which organizations handle personal data
This all sounds fairly straightforward, but it can be quite challenging for an organization. For example, completely removing a user from all systems of an organization is often not easy to achieve. In addition, your data management process must be very flexible, because contacts can ask to be forgotten one moment and then give their consent for the processing of their data again not much later.
Also read: What about employee privacy in the event of an epidemic or pandemic?
What does this mean for email marketing?
I work a lot with clients in e-commerce, who use e-mail marketing (including abandoned-cart mailings) to communicate with users of their webshop. They often ask me what the above means for them in concrete terms. With the new law, you are required to comply with the following 4 points.