Data breaches by rogue employees – employers still liable: Vicarious liability applies
John Warchus | 31.01.2019
16.01.2018 John Warchus
Under the GDPR, consent needs to be “...freely given, specific, informed and unambiguous...” In other words, consent will only be validly given where there is a clear statement or conduct by an individual which indicates his/her acceptance of the proposed processing. Accordingly, the following will no longer be satisfactory evidence of consent:
The GDPR hammers home this message by providing further specific guidance in both the Articles and Recitals. From these, organisations must be aware that they need to:
Finally, it should also be noted that there are now new, specific rules in relation to the obtaining of consent from children. Where children are receiving some form of online service, the general presumption is that parental/guardian consent must be obtained for children under 16, although member states do have the right to reduce this age to no lower than 13 if they wish.
Action points to ensure consent to processing is validly obtained
Organisations should carry out a thorough review of the personal data they hold so that they are aware of what they hold and process and that any consent relied upon is legally valid. In order to do so, the following actions should be carried out: