DRAFT: TASIS GDPR FAQs
Personal data relating to criminal convictions is not classed as sensitive data, but the GDPR does introduce extra safeguards in relation to processing it. These can be found in Article 10 of the regulation.
How does the GDPR apply to children?
The GDPR includes specific protections for children. It generally provides that the consent of children must be “explicit.” GDPR set the age of consent, in the online context, at 16. But Member states may individually set the age of consent anywhere between 13 and 16 years old – The UK has set it at 13.
Do we need to ask for consent to collect, store and process personal data from my employees and my customers?
GDPR requires us to have a legal basis for processing personal data, which could include:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Do I always need consent?
No. Consent is just one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.
Is parental consent always required when collecting or processing children’s personal data?
The GDPR contains new provisions intended to enhance the protection of children’s personal data, in particular, privacy notices and parental consent for online services offered to children.