Page 9 - TASIS GDPR FAQs
P. 9
DRAFT: TASIS GDPR FAQs
Article 8 of the GDPR imposes conditions on children’s consent, but it does not require parental consent in every case. Other lawful bases may still be available. Article 8 only applies when the controller is:
• offering information society services (ISS) directly to children; and
• wishes to rely on consent as its basis for processing.
So if an ISS is actually intended for parents to use, or if we are relying on a different lawful basis such as legitimate interests, then Article 8 won’t apply.
Do I always need consent for marketing and does it have to be opt in or can it be opt out?
No. We won’t need consent for postal marketing but we will need consent for some calls and for texts and emails under Privacy and Electronic Communications Regulations (PECR).
If we don’t need consent under PECR you can rely on legitimate interests for marketing activities, if you can show how you use people’s data is proportionate, has a minimal privacy impact and people would not be surprised or likely to object.
If you do rely upon consent it requires a positive opt-in, but we cannot use pre-ticked boxes or any other method of default consent.
What ways can we justify the processing of personal data?
There are some fundamental ways we can demonstrate a legal basis for the collection and processing of personal data:
• We have explicitly gained the consent of the data subject to hold and process their personal information. This consent must be actively given and you must be able to provide evidence of this consent.
• We have a “legitimate reason” to hold and process personal information. For example, during an application for a student to join the School parents have to provide whatever basic information is necessary to fulfil the process, i.e. names, date of birth, contact and address information.
• We may have a legal obligation to collect and process personal data. For example, for Staff and Faculty we have a legal obligation to record and process payroll information and report details to HMRC. As we are legally bound to do this, we do not require the explicit consent of the individual to do so.
• Processing is necessary to protect the “vital interests” of an individual that is effectively matters of life or death.
• Processing is necessary to comply with a UK legal obligation.
• Processing is necessary for the performance of a task carried out in the public interest.