Can I process personal data without the consent of the individuals concerned?
July 20, 2023 | 60,00 EUR | answered by Tobias Helbig
Dear Data Protection Lawyer,
I hope you can help me with my concern. My name is Fred König and I run a small business where we regularly process personal data of our customers. So far, we have not obtained consent from the individuals, as we assumed it was not necessary. However, I am now concerned that we may be in violation of current data protection regulations.
In our company, we store customer data such as names, addresses, phone numbers, and email addresses in an internal database. We use this information to manage our customer base and to inform them about current offers and promotions. We have not obtained explicit consent from customers to process their data.
My concern is that we may be breaching the General Data Protection Regulation (GDPR) by processing personal data without the consent of the individuals. Therefore, I would like to know if we are legally required to obtain consent from customers before processing their data. If this is necessary, what steps should we take to properly obtain consent from the individuals?
Thank you in advance for your assistance, and I look forward to hearing your assessment of my concern.
Sincerely,
Fred König
Dear Mr. King,
Thank you for your inquiry regarding the processing of personal data in your company. As a data protection lawyer, I can assist you and clarify your concerns regarding data protection laws.
First and foremost, it is important to know that the processing of personal data is generally only permissible under the General Data Protection Regulation (GDPR) if there is a legal basis for it. One of the legal bases for processing personal data is the consent of the individuals concerned under Article 6(1)(a) of the GDPR. This means that you must generally obtain the consent of your customers before processing their data.
In your case, where you store and use personal data such as names, addresses, phone numbers, and email addresses of your customers for marketing purposes, it is necessary to obtain the consent of the individuals concerned. Without such consent, you risk violating the GDPR and may be subject to significant fines.
To obtain the consent of your customers in a legally sound manner, you should ensure that it is given voluntarily, informed, specific, and unambiguous. This means that your customers must be informed about the purpose of data processing, the type of data, the duration of storage, and their rights under the GDPR. Additionally, you should ensure that consent is actively given through a clear action (e.g. checking a box) and that it can be revoked at any time.
It is advisable to publish a privacy policy on your website that transparently informs customers about data processing and provides a consent option. Furthermore, you should implement internal processes to ensure that consents are documented and can be proven.
I hope this information helps clarify your concerns regarding obtaining consent for the processing of personal data in your company. If you have any further questions or need legal assistance, I am at your disposal.
Sincerely,
Tobias Helbig, Data Protection Lawyer
