If the processing of data is not covered by one of the bases for processing stated in the GDPR, a consumer needs to give consent to the use of his or her personal data. The use of the data should be linked to one or more specific bases purposes.
Data controllers have to be able to demonstrate that the consumer has consented to processing of his or her personal data. Consumers should also be able to withdraw their consent, just as easy as it was given.
The Awesome Automobiles website (owned by MagazineMonsters), using the iWelcome CIAM platform, offers social registration and uses consent lifecycle management to ask Gustav for consent to use his Facebook data, while being transparent on the scope of use of all data items. The consents, inclusive timestamp and source and the scope of use are stored in the iWelcome CIAM system.
Processing of data can be fair and lawful, for instance, if the data is needed for the performance of a contract. If personal data has only been provided to perform a contract, it cannot be used for any other purpose, unless the data controller asks for specific consent for this new purpose.
The Awesome Automobiles website, offers a full registration for personal data and payment details. Consent is not needed for these items, because they are necessary for the performance of the contract. In addition, the platform offers the option to enrich a profile with extra information and preferences, in this case family composition. For the use of this additional data, consent should be given.
Below the age of 16, parental consent must be given when services that require consent are offered directly to a child. European countries have some freedom to implement another age limit, as long as it’s not under 13.
The Awesome Automobiles website is aware that it needs consent from a parent of Guinevere. As Gustav is registered as ‘parent’ and Guinevere as ‘junior member of the family’, consent from Gustav will be required.
Every consumer has the right to obtain the erasure of personal data concerning him or her. This applies if the personal data is no longer necessary in relation to the purposes for which it was collected, unless the data (or part of it) has to be kept longer due to regulatory compliance.
For auditability and to trigger any additional process that may be needed, the system will notify assigned staff (DPO or administrator) of MagazineMonsters that Guinevere made use of her right to erasure. The iWelcome IDaaS platform will remove all Guinevere’s data it holds, including any provisioned data in target applications.
Personal data should be adequate, with relevance and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’).
Consumers have the right to know whether or not personal data concerning him or her is being processed and where that is the case, access to the personal data and the purpose of the processing.
Consumers have the right to obtain rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, consumers have the right to have incomplete personal data completed.
The Awesome Automobiles website and app, offer a ‘MyPage’ section to manage profile information. On this ‘MyPage’, Gustav can see all the personal data that Magazinemonsters has stored. He sees what the purpose of processing is (contract, consent, legal, other), can rectify any inaccurate information and can complete any missing information. The system offers a consent-API to store all additional consents from Magazine-monsters and will show Gustav those additional consents in the privacy part of his ‘MyPage’ with the possibility to withdraw the given consent(s) at any time.
Consumers have the right to receive their personal data in a structured, commonly used and machine-readable format, to transmit the data to another controller. If technically feasible, data can be transmitted directly from one controller to another on request. This is known as the ‘right to data portability’.
Carsecure’s website, also using the iWelcome IDaaS platform, has a ‘MyPage’ that offers the possibility to export personal profile information and to receive that in a machine readable format in an email to the consumer or directly to another data controller (Safe4You). Any further consent lifecycle steps will be handled by the CIAM system of Safe4You.
Personal data should not be kept longer than necessary for the purposes for which the personal data is processed. Apart from processing for commercial reasons, processing for compliance with legal obligations is often necessary, which leads to longer data retention periods.
Personal data can be stored by data controllers in case of legal obligation.
Consumers have the right to receive information concerning the period for which the personal data will be stored, or if that is not possible concerning the criteria that apply to the duration of the data retention.
Carsecure, has the possibility to log and store a retention date for every collected data item. This is stored in the metadata of that specific data item. Policy driven data management can constantly verify that metadata and act accordingly. As the metadata is directly connected to the data item in the consumer profile, it can be made visible through the ‘MyPage’ if desired for transparency purposes.