Personal data may only be processed if there is a legal basis for the processing. The General Data Protection Regulation (GDPR) specifies a number of grounds that are considered permissible, but in practice only consent can be considered for independent work.
If it is not possible to use consent, you should raise this with your supervisor and the Data Protection Officer to see if there is another solution.
Clarify what consent means
Using consent as a basis means that the data subject gives his or her active consent to the processing. This means that you are talking about:
- what data you collect.
- what they will be used for and by whom.
- the duration of the data.
- that it is possible to see the collected information.
- that it is possible to turn to GIH's data protection officer or the supervisory authority with a complaint.
After the data subject has received the information, they can give their consent to the processing and the processing of the data is then permitted. If the data subject has consented to the processing, sensitive data may also be processed. Please note that sensitive data places great demands on the security of the handling.
Retention of consent
You keep the consent yourself during the work, and it is important that you store it so that no unauthorized person can access it or lose it. The data subject has the right to withdraw their consent at any time.
Written consent is preferred
There are no formal requirements in the regulations on how consent should be given and how signatures should be designed. However, you must be able to prove that consent has been given and that it has been clearly informed what the person has given consent to. That is why written consent is a good idea.
For example, in a digital consent management, a checkbox can be created in the web survey or a consent management can be done via email responses.
GIH has produced a text for consent management that you can use in both paper form and digitally.