Wednesday, 7 February 2018

Judicial Remedies under the GDPR and other Data Protection Legislation

Jane Lambert

A lot of attention has focused on the massive increase in the Information Commissioner's and other supervisory authorities' power to fine under art 83 (4) and (5) of the GDPR but she acquires no new powers to compensate.  If a data subject requires compensation from a data controller or processor under art 82 (1) or some other judicial remedy pursuant to art 79, he or she will have to sue.

The Data Protection Bill, which has now completed its passage through the Lords and is now awaiting its second reading in the House of Commons, makes provision for that judicial remedy.  The courts of the United Kingdom are to have the power to make compliance orders under clause 165 and award compensation under clause 166 and clause 167.

Clause 165 (2) defines a compliance order as
"an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
(a) to take steps specified in the order, or
(b) to refrain from taking steps specified in the order."
This would seem to include an order by the court to a data controller to comply with a subject access request under clause 94 (11), an order not to process personal data under clause 99 (5) and rectification and erasure under clause 100 (4). Though there is no specific provision in the Bill for the court to restrain the transfer of personal data abroad under clause 109 (1) or to order a controller to take steps to implement the data protection principles or minimize the risks to the rights and freedoms of data subjects under clause 103 (2) there seems to be no reason why it should not do so.

As I mentioned in Claims by Data Subjects against Data Controllers and Processors under the GDPR 5 Jan 2018, the provisions relating to subject access, rectification and erasure stipulate that the High Court of England and Wales has exclusive jurisdiction to make such orders. However, there seems to be a contradiction in that clause 177 (1) and (2) seems to suggest that compliance orders as well as compensation may be awarded by the County Court as well as the High Court.

Clause 166 (1) provides for compensation for material or non-material damage including distress under art 82 GDPR for contravention of that regulation and clause 167 (1)  for compensation for material or non-material damage including distress under any other data protection legislation.

In future articles I shall discuss pleading claims  for judicial remedies for alleged breaches of the GDPR and other legislation and possible defences.  Anyone wishing to discuss this article should call me on 020 7404 5252 during office hours or send me a message through my contact form.

Sunday, 14 January 2018

Information Commissioner fines The Carphone Warehouse £400,000 for breaching the Seventh Data Protection Principle

Jane Lambert

In GDPR - Fines 7 Dec 2017 I outlined the Information Commissioner's existing powers under s.55A of the Data Protection Act 1998 and The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 to impose monetary penalties on data controllers who contravene s.4 (4) of the Act. As I noted in that article, the maximum penalty that the Commissioner can impose is limited to £500,000 by reg 2 of those Regulations.

By a monetary penalty notice dated 8 Jan 2018 the Information Commissioner fined the Carphone Warehouse £400,000 (80% of the maximum under reg 2) for failing to prevent unauthorized access to the personal data of over 3 million of its customers and some 1,000 of its employees. 

Paragraph 7 of Sched. 1 of the Act provides:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Paragraphs 9 to 12 of the schedule add:
"The seventh principle
9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a)   the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b)   the nature of the data to be protected.
10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a)   choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b)   take reasonable steps to ensure compliance with those measures.
12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—
(a) the processing is carried out under a contract—
(i)      which is made or evidenced in writing, and
(ii)     under which the data processor is to act only on instructions from the data controller, and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle."
Based on evidence that had been submitted by the Carphone Warehouse which included reports by forensic specialists, the Commissioner found at paragraph 22 that the data controller had contravened the above data protection principle in 11 respects ranging from the use of out of date software to inadequate vulnerability scanning.  Having regard to the state of technological development, the cost of implementing any measures, the nature of the relevant personal data and the harm that might ensue from its misuse, the Commissioner's held was that there were multiple inadequacies in Carphone Warehouse's technical and organisational measures for ensuring the security of personal data on the System.

The Commissioner concluded that the requirements of s.55A (1) had been met. After considering both aggravating and mitigating factors she fixed the penalty at £400,000 to be paid by the 8 Feb 2018.  She offered the data controller a 20% discount if it pays the fine in full by 7 Feb 2018 and does not appeal. If it exercises its right of appeal it will forego the £80,000 discount. That leaves a very difficult decision for The Carphone Warehouse and its lawyers. If the company accepts the Commissioner's finding it risks claims for compensation in the civil courts by any one or more of its 3 million customers and 1,000 employees. On the other hand it will not be easy to appeal and the costs could well exceed £320,000.

Should anyone wish to discuss this note or data protection generally, he or she should call me on 020 7404 5252 during normal business hours or send me a message through my contact form.

Friday, 12 January 2018

Two Talks on GDPR on 24 Jan 2018 that are particularly worth attending

Jane Lambert

The BCS Law Specialist Group is one of a number of specialist groups within the British Computer Society. There are over 50 of them covering everything from advanced programming to software testing. You can find a list on the Specialist Groups page of the British Computer Society website. You can attend some meetings of some of those groups evers two talks on that subject which in my view are well worth attending if you live in or near, or happen to be in, London on 24 Jan 2018. On that day  Dr Sally Leivesley PhD Lond., MSPD, BA(Hons) Qld., FICPEM, FRSA, MACE, MIABTI, MRSES will talk about GDPR and Cryptography - Catastrophic Risk Principles between 18:30 and 19:15 and Ms Chiara Rustici will lead the BCS Specialist Group's second GDPR workshop between 19:30 and 20:45. Further details of both talks are available on the event web page.

Admission to both talks costs £10 for BCS members and £15 for everybody else which is very reasonable considering the eye-watering fees charged by some seminar organizers and commercial consultancies for a good deal less. The talks take place on the 1st floor of the Davidson Building at 5 Southampton Street, London, WC2E 7HA.

Friday, 5 January 2018

Claims by Data Subjects against Data Controllers and Processors under the GDPR

Royal Courts of Justice
Author Rafa Esteve
Licence Creative Commons Attribution Share Alike 4.0 International
Source Wikipedia

Jane Lambert

In my article How the GDPR works 3 Dec 2017 I wrote that the General Data Protection Regulation ("GDPR") establishes a set of principles for processing personal data (data by which living human beings can be identified) and machinery for monitoring and enforcing compliance.  I added that "that machinery takes the form of rights for data subjects (the individuals who can be identified from the data) and obligations upon data controllers (those who control the processing of personal data) and processors (those who carry out the processing) to take reasonable steps to minimize the risk or effect of non-compliance."

Previous legislation required EU member states to establish supervisory authorities to regulate the processing of personal data in their respective territories and the supervisory authority for the United Kingdom is the Information Commissioner in Wilmslow near Manchester.  If a data subject believes that his or her rights under the GDPR have been infringed, he or she will be able to complain to the Information Commissioner or the supervisory authority of some other member state or sue the data controller or processor in the courts of the United Kingdom or some other member state.

This article considers the circumstances in which a data subject might wish to bring an action against a data controller or processor in the courts of England and Wales and how he or she might do so.

What is the GDPR?

In my Introduction to the GDPR 2 Dec 2017 I wrote that "the initials GDPR stand for the words “General Data Protection Regulation” which is "the short title for a law officially known as Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC." I added:
"The GDPR is thus a law to protect the interests of living individuals throughout the EU with regard to the processing of data by which they may be identified while safeguarding the free flow of information throughout the EU. It will come into being with equal effect in every member state without further intervention of the governments of those states."
It will come into force on 25 May 2018 and remain for as long as the United Kingdom remains in the European Union. However, many of its provisions will be preserved in a new Data Protection Bill which is now proceeding through Parliament (see my article Introduction to the Data Protection Bill  16 Sept 2017).

Right of Action

Art 79 (1) of the GDPR provides:
"Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation."
Such a right of action is not new.  EU member states are already required to provide a judicial remedy for any breach of the rights guaranteed by the national law applicable to the processing in question under art 22 of the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). In the United Kingdom, the judicial remedy mentioned in art 22 is implemented by s.15 (1) of the Data Protection Act 1998.

In what Circumstances could a Data Subject sue?

A data subject might wish to go to law to seek compensation under art 82 (1) of the GDPR for any material or non-material damage that he or she may have suffered as a result of an infringement of the regulation or for an order for the rectification or erasure of data, the restriction of data processing or any other relief that can only be granted by a court.

In which Court?

Art 79 (2) of the CDPR allow proceedings for compensation or other remedy to be brought in any member state in which the controller or processor.  Alternatively, they may be brought before the courts of the member state where the data subject has his or her habitual residence unless the controller or processor is a public authority of a member state acting in the exercise of its public powers. In that case the authority must be sued in the member state where it is located.  Clause 92 (13) of the Data Protection Bill provides that the jurisdiction to compel subject access requests may be exercised by the High Court in England and Wales, the High of Northern Ireland or the Court of Session in Scotland. Similarly, those courts have jurisdiction to hear objections to process under clause 97 (7) and to make orders for the rectification or erasure of personal data under clause 98 (6).  There is no equivalent provision for compliance orders under clause 158 or compensation under clause 159. By contrast, s.15 (1) of the Data Protection Act 1998 provides that claims under the Act may be brought before the High Court or the County Court in England and Wales or the Court of Session or a sheriff's court in Scotland.

How to bring Proceedings under the GDPR

It would appear that a claimant must prove:
  • the existence of a right under the GDPR;
  • an actual or threatened infringement of that right; and
  • damage resulting from the infringement.
The right may be express such as those that arise under Chapter III of the regulation or implied such as the right to object to the transfer of personal data abroad without the safeguards provided by Chapter V. The damage may be material or non-material and it must have resulted or be likely to result from an infringement of the data subject's right. A controller or processor has a complete defence under art 82 (3) of the GDPR if he or she can prove that he or she is not in any way responsible for the event giving rise to the damage.

Liability of Processors

One of the changes brought about by the GDPR is that processors can be sued for damage caused by non-compliance with the regulation or acts outside or contrary to the lawful instructions of the controller. This change is probably more apparent than real because processors that have failed to comply with relevant data protection legislation can usually be joined as Part 20 defendants either for breach of express or implied terms of their service level agreements or a common law duty of care.


In the absence of a pre-action protocol for data protection complaints, data subjects, controllers and processors will be expected to comply with paragraph 6 of the Practice Direction - Pre-action Conduct and Protocols. Wherever possible, disputes should be settled through direct negotiations, arbitration, mediation or some other form of alternative dispute resolution. Those that cannot be resolved through negotiation or ADR may be brought in either the Queen's Bench Division or the Chancery Division. Claims for compensation are more likely to be brought in the Queen's Bench Division whereas those for compliance orders are more likely in the Chancery Division

Alternative Dispute Resolution

Parties seeking the appointment of a neutral to resolve a dispute under the GDPR or other data protection legislation may wish to consider one of the arbitrators or mediators of 4-5 Gray's Inn Square as James Bridgeman SC, the Hon Louis Harms, Caroline Kenny QC, Anthony Connerty, several other members of chambers and I have relevant knowledge and experience.

Further Information

Anyone wishing to discuss this article, the GDPR or data protection in general is invited to call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Monday, 11 December 2017

Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998

Morrisons' head office in Bradford
Author Michael Ely

Jane Lambert

Queen's Bench Division (Mr Justice Langstaff)  Various Claimants v Wm Morrisons Supermarkets Plc (Rev 1) [2017] EWHC 3113 (QB) (1 Dec 2017)

On 12 Jan 2014 a disgruntled member of the staff pf Wm Morrison Supermarkets plc posted a file containing the personal details of nearly 100,000 of the company's employees on a file sharing website. The information included names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries. The person responsible was caught, prosecuted and sentenced to 8 years imprisonment.

Some 5,518 of those employees have brought an action for damages against the company for breach of statutory duty under s.4 (4) of the Data Protection Act 1998, breach of confidence and misuse of personal information. The action was split into two: first a trial on liability and, if necessary, an assessment of damages.

The trial on liability came on before Mr Justice Langstaff who decided that Morrisons was not  primarily liable for breaches of statutory duty, breach of confidence or misuse of personal information it was vicariously liable for the wrongdoing of its employee. The judge was troubled by his decision because it assisted the wrongdoer to accomplish his ends which was to injure his employer but the claimants had suffered and were entitled to be compensated. I shall analyse his judgment in a longer case note in NIPC Law.

It is likely that a similar conclusions have been reached under the General Data Protection Regulation. Art 5 (1) of the GDPR requires the controller to be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data just as s.4 (4) requires a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. The definition of data controller under the GDPR is broadly the same as in the Act and Directive 95/46/EC. Art 82 (1) of the GDPR entitles any person who has suffered material or non-material damage as a result of an infringement of the regulation to receive compensation from the controller or processor for the damage suffered. Nothing in the GDPR would affect our rules on vicarious liability.

Anyone who wishes to discuss this article or data protection in general should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Thursday, 7 December 2017

GDPR - Fines

Jane Lambert

This is the last of my articles on the GDPR for the time being. I have decided to discuss fines because it is one of the topics that has received most publicity recently.  The prospect of eye-watering fines has been used by some to raise awareness of data protection and to encourage good practices which must be good but it has also been used more cynically to boost sales of systems and services that may or may not be needed which is not so good.

Art 24 of the Data Protective Directive required member states to "adopt suitable measures to ensure the full implementation of the provisions" of the directive and, in particular, to lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to the directive. However, it left it to the authorities in the member states to lay down what those sanctions should be. In the UK, the Information Commissioner has power to impose monetary penalties under s.55A of the Data Protection Act 1998.  S.55A (1) provides:
"The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—
(a) there has been a serious contravention of section 4 (4) by the data controller,
(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c) subsection (2) or (3) applies."
S.55A (2) applies if the contravention was deliberate and s.55A (3) if the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention. S.55A (5) limits the amount of the monetary penalty to "the prescribed amount" which is set at £500,000 by reg 2 of The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010 No 31). The Commissioner has given some guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998. The Information Commissioner will continue to have the power to impose fines under art 58 (2) (i) of the GDPR in accordance with guidelines to be drawn up by the European Data Protection Board (a body consisting of representatives of the EU and national data protection supervising authorities) pursuant to art 70 (1) (k).

The Information Commissioner's power to fine will increase greatly as a result of art 83 of the GDPR. She will have power to impose administrative fines up to €20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher in the circumstances prescribed in art 83 (5). However, any fine that she does impose under that provision must be effective, proportionate and dissuasive. Paragraph (148) of the recitals provides the following guidance as to how the power to fine should be exercised:
"In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process."
Paragraph (150) provides the following additional guidance
"In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons that are not an undertaking, the supervisory authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent application of administrative fines. It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation."
The representatives of the national data protection supervising authorities who will constitute the European Data Protection Board after 25 May 2018 adopted Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 on 3 Oct 2017 which can be downloaded from What's New section of the Information Commissioner's website.

Art 85 (2) provides that administrative fines shall be imposed in addition to, or instead of, the other sanctions that are available to the Information Commissioner under art 58 (2). When deciding whether or not to impose an administrative fine and, if so, the amount due regard must be given to the following considerations:
"(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement."
In other words, only the most egregious infringements are likely to attract the heaviest fines. Art 85 (4) limits the fine for certain infringements such as failure to obtain the appropriate consent in relation to a child to €10 million or 2% of turnover. In the case of all others, the maximum penalty is €20 million or 4%,

It is important to note that art 83 (8) GDPR subjects the exercise by the Information Commissioner of her powers to "appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process." In other words, the Commissioner will have to follow due process when imposing a fine and there will be a right of appeal against her decisions probably to the General Regulatory Chamber and from there to the civil courts. Also, for so long as the UK remains in the European Union points of EU law can be referred to the Court of Justice of the European Union,

Should anyone wish to discuss this article, fines, the GDPR or data protection generally he or she should call me on 020 7404 5252 or send me a message through my contact form.

Further Reading

Author and Title
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

Tuesday, 5 December 2017

GDPR - Lawfulness of Processing and Consent

Jane Lambert

Yesterday I gave a talk on the GDPR to some 132 local authority personnel. The audience included the chief executive, heads of service, in-house legal advisers and managers and officials of all the council's departments. There were so many that the council chamber was the only room big enough to hold us all.  Some knew a lot about data protection in general and the GDPR in particular. Others wanted some basic information and it was for them that I wrote my Introduction to the GDPR and How the GDPR works.

"You've got them for two hours" said the head of legal before the talk, "tell them a few jokes to stop them falling asleep." As all my clean jokes are about Yorkshire and Yorkshire folk, I thought about telling them how the first Yorkshire pudding was made which, incidentally, was once made into a lovely dance by Jonathan Watkins for Northern Ballet (see  Sapphire 15 March 2015 Terpsichore).  However, we never got that far as the audience turned out to be quite lively and talkative.  What they wanted to talk about most was the legality of processing and consent.

To recap, I wrote on Sunday in How the GDPR works that there are 6 GDPR principles (or 7 if you include "accountability") that are set out in art 5 of the regulation.  The first of these is the "lawfulness, fairness and transparency" principle which is as follows:
"Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);"
 Art 6 (1) sets out the circumstances in which data can be lawfully processed:
"Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)  processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks."
The audience knew that processing could be justified by "consent" but did such consent have to be in writing and was it necessary to ask members of the public who had already given their consent for a particular purpose (say a mailing list for a newsletter about tourist attractions) for their consent again just to comply with the GDPR?

Well, paragraph (32) of the recitals assists here:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
So consent does not have to be written and signed but, if it is given orally. it does need to be recorded because art 7 (1) requires data controllers to be able to demonstrate that the data subject has consented to processing of his or her personal data. In answer to the other question, there is nothing in the GDPR that requires data controllers to mither their data subjects for confirmation of consent that they have already given for a specific purpose so long as the consent that they already have is genuine, informed and freely given.

A few other points to remember: -

  • Art 6 (1) (a) requires consent to be given for one or more specific purposes. Data subjects must know exactly and precisely what they are consenting to.
  • If a data subject's consent is given in the context of a written declaration which also concerns other matters, art 7 (2) requires any request for such consent to be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
  • Art 7 (4) provides that "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract" when assessing whether consent is freely given.
Readers should also remember that other rules in relation to consent apply in relation to children and young people and particularly sensitive categories of data which I shall discuss in future articles. In the meantime, if you have any questions in relation to consent, lawful processing, the GDPR or data protection generally, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading

Author and Title
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection