Limiting marketing and advertising use of personal data processed under a contract

Critical
High
Normal
Low

The organization should ensure that personal data processed on a contractual basis is not used for marketing or advertising unless there is prior consent from the data subject.

Consent to marketing and advertising cannot be used as a condition for receiving the service.

Connected other frameworks and requirements:
A.8.2.3: Marketing and advertising use
ISO 27701

Data erasure processes and the "right to be forgotten"

Critical
High
Normal
Low

In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:

  • the processing is based on consent (and there is no other reason for processing) and the data subject withdraws her consent
  • the data subject objects to the processing of his or her personal data for the purposes of direct marketing or otherwise exercises his or her right of objection and there is no valid reason for such processing
  • personal data have been collected in connection with the provision of information society services

We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:

  • the ways in which the data subject may request the deletion of data
  • the means by which the identity of the sender of the request for information is verified
  • persons assisting the contact person of the databank in processing the request
  • the means by which data are securely and permanently deleted and the data subject is informed
Connected other frameworks and requirements:
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.3.6: Access, correction and/or erasure
ISO 27701
A.8.2.3: Marketing and advertising use
ISO 27701
No items found.