Documentation of conditions of consent for relevant processing purposes

Critical
High
Normal
Low

If our organization processes personal data based on the consent of the data subject, we must ensure that the conditions for consent are met. The conditions for lawful consent are:

  • The controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data
  • The request for consent must be clearly separated from other matters in an easily comprehensible form
  • The data subject may withdraw her consent at any time and has been instructed to do so before giving her consent
  • Withdrawal of consent must be as easy as giving it

The Data Protection Officer may be responsible for assessing the conditions of consent. It is also important to consider, whether consent is generally appropriate as a legal basis for the corresponding processing.

Connected other frameworks and requirements:
7. Conditions for consent
GDPR
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.2.3: Determine when and how consent is to be obtained
ISO 27701
A.7.2.4: Obtain and record consent
ISO 27701
A.7.3.4: Providing mechanism to modify or withdraw consent
ISO 27701

Data erasure processes and the "right to be forgotten"

Critical
High
Normal
Low

In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:

  • the processing is based on consent (and there is no other reason for processing) and the data subject withdraws her consent
  • the data subject objects to the processing of his or her personal data for the purposes of direct marketing or otherwise exercises his or her right of objection and there is no valid reason for such processing
  • personal data have been collected in connection with the provision of information society services

We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:

  • the ways in which the data subject may request the deletion of data
  • the means by which the identity of the sender of the request for information is verified
  • persons assisting the contact person of the databank in processing the request
  • the means by which data are securely and permanently deleted and the data subject is informed
Connected other frameworks and requirements:
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.3.6: Access, correction and/or erasure
ISO 27701
A.8.2.3: Marketing and advertising use
ISO 27701
No items found.