A new year, a new data protection regulation. In our series of articles about GDPR, we discuss the issues surrounding it with Peter Berg, CEO at Paloma. First, there is consent. What does this actually mean and are there any differences compared to PUL?
When does new regulation come into force?
Answer: It comes into force on May 25 this year and replaces PUL, the Swedish Personal Data Act.
We get many questions about consent, what does consent entail in this context?
Answer: It is a way of making your personal data management legal. You are simply asking the registered person for his/her permission before you manage his/her personal data.
What is personal data?
Answer: An identified or identifiable physical (living) person. Name, images, IP, DNA, etc. In fact, all types of information directly or indirectly attributable to a living, physical person.
What is consent legally speaking?
Answer: It is a voluntary, specific, informed and unambiguous agreement on the part of the data subject that he or she accepts the processing of personal data concerning him or her, by written, including electronic, or verbal declaration.
Can you tell us what is particularly important to consider with regard to consent?
Answer: If you are uncertain, asking too many times is better than too few, and remember that it must always be clear what the data subject consents to. And if the processing serves several purposes, make sure that this is specified. The consent must be obtained from the customer for all purposes.
Is it possible to consent on behalf of someone else, for example your children, as their legal guardian?
Answer: Yes. Only in exceptional cases is the data subject allowed to consent on someone else’s behalf, for example as the legal guardian for under age children who are not able to give their legal consent.
What does unambiguous consent entail?
Answer: If you use personal data from data subjects for something they have not consented to. Imagine that you operate in different industries or product areas, for example. Here it is particularly important to know what your customers have consented to. Without consent, you are not allowed to use the e-mail addresses for customers who have signed up for a subscription to your newsletter about equestrian sports to send them information about a new golf club that you have added to your range. New consent from the customers is required here.
What are the major differences between PUL and GDPR?
Answer: Among other things, GDPR places considerably higher demands on documentation, i.e. that the data subject’s consent is documented in a manner that makes it possible to show that it exists at any given time. Moreover, pre-filled boxes are no longer valid as consent. The possibility of greater transparency for each citizen also increases. The data subject will at any time be able to obtain information about the data each respective company has registered about him/her. Every data subject has the right to have his/her data corrected as well as the right or to be forgotten, i.e. erased from the company’s records.
Another difference is that fines are imposed if you breach the regulation. Can you tell us about that?
Answer: If a company breaches a legal requirement, penalties of up to EUR 20,000,000 or 4 percent of the parent company’s global worldwide turnover may be imposed on it. The Swedish Data Protection Authority will, in relation to PUL, increase its surveillance significantly.