GDPR – consent must not be hidden in your terms

legal updates

You cannot demand or assume consent.

Read our disclaimer keyboard_arrow_down

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

In a previous legal update (GDPR-you need to undertake an information audit), we discussed your data audit. If as part of that audit you have decided you want to rely on consent as your legal basis for processing personal data, are you sure you meet the high standards the GDPR sets out?

To be clear, if you are marketing to your existing customers and you have always offered them the option to opt out, then you can continue to do so under the lawful processing ground of ‘legitimate business interest’. This will only apply to existing customers and is allowed under the Privacy and Electronic Communication Regulations (PECR) – Regulation 22, known as the ‘soft opt-in’. Direct Marketing is expressly allowed under the GDPR as a legitimate business interest in Recital 47.If however, you want to rely on ‘consent’ as your ground for processing any personal data, the threshold is high.

The consent must not be hidden within your terms and conditions. It should be separate and clear.

There must be what the ICO calls a positive opt-in.

You cannot demand or assume consent. For example, you cannot say that the person consented to you sending them details of a special offer simply because they bought a car from you and they gave you their details for the invoice. Keeping the personal data on the invoice is fine as it is required for the contract and for you to fulfil your legal obligation to keep proper tax records etc but, this does not mean you can decide to use that same data for marketing purposes unless you complied with PECR Regulation 22 or have taken clear opt in consent to receiving marketing.

The ICO say consent has to be specific and granular. You have to make clear to the customer, exactly what you will do with their data. There is no one size fits all consent.

If asked, you will need to be able to prove to the ICO that you have consent and so you need to ensure your record keeping is in good order. You will need records of who consented, what exactly you told them they were consenting to, the date of consent and how the customer consented.

In addition to all the above, you must tell your customer that they can withdraw consent at any time and tell them how to do this.

In summary, if you are relying on consent (and don’t forget there are 5 other grounds you may be better off using), make sure your records are sufficient to prove to the ICO that your customer clearly understood to what they were consenting. That way, you should avoid a fine.

ECSC Group plcMore Secure

On average 55 vulnerabilities are identified daily.

What can I do?

Review your organisations priorities and ask ‘can we afford a breach?’. What do I do during an incident? Who do I involve? When do I involve the ICO?

If you’re unable to answers these questions, you need help from the experts.

Nona BowkisHead of Legal Services / SolicitorRead More by this author

Related Legal Updates

Data Protection is real and mistakes can cost your business

Most fines from the ICO are against large companies that send out unsolicited marketing messages.

Do you know what a personal data breach is?

If a security incident has taken place, you should quickly establish whether a personal data breach has occurred. If yes, promptly take steps to address it, including telling the ICO if required. You need to keep a log of any breaches, record the details, and actions taken.

Are you ready for the UK’s data landscape change?

The ramifications for not having the correct policy and procedures in place could be costly, not only by a fine from the ICO for not paying your fee, but also by being reported for data breach

Goodbye 2021, hello 2022!

Despite an excess of 100 different commission claims hitting the Lawgistics’ desks, not one single dealer has had to part with their money.

Used cars – a treasure trove of personal data and a data breach in the making

Modern cars pair with smart phones and other electronic devices via Bluetooth or USB and absorb huge amounts of our personal data.

Police ordered to disclose information

Citing the provisions of the Data Protection Act 2018.

£820 out of pocket due to a data breach

Ex-employee admitted to three offences of unlawfully obtaining personal data.

Get in touch

Complete the form to get in touch or via our details below:

Phone
01480 455500
Address

Vinpenta House
High Causeway
Whittlesey
Peterborough
PE7 1AE

By submitting this quote you agree to our Terms & Conditions and Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.