Accessibility

Obtain user consent when requesting personal data

Consent must be given by a clear affirmative action reflecting a free, specific, informed and unambiguous indication of the data subject's wishes and must be given for all processing activities carried out. When the processing has several purposes, consent must be given for each of them. If it is to be given following a request by electronic means, it must be clear, concise and not unnecessarily disrupt the use of the service for which it is provided.

This express consent can be transferred to a web form through the implementation of checkboxes that are unchecked by default, this is vital, in order to be able to demonstrate this will on the part of the person to process their personal data.

Pre-ticking boxes, silence and inaction of the interested party do not constitute lawful data processing, so these formulas should not be used.

We talked in the previous section about specific purposes, that is, when someone provides their data, it is necessary to clearly, unequivocally and transparently detail what the conditions for processing the data will be.

As it is an express consent linked to a specific purpose, it is necessary to demonstrate that it has been collected following these precepts and the burden of proof falls on the organization that receives and processes this data.

An example of how to demonstrate that we have been authorized is that each registration generates an automatic response email with the data of the person requested, their IP, I accept, date, exact time and browser used. This email must be saved as proof in case of conflict with the user.

First layer of basic information

With the requirements and principles introduced by the GDPR regarding the obligation to inform, simply referring to the privacy policy from web forms is no longer sufficient to comply with these obligations.

The Data Protection Authorities of the European Union recommend using a layered information model, presenting a first layer with basic information on data protection and referring from this, simpler and more immediate, to a second layer with the remaining information.

In the Guide to Compliance with the Duty to Report, of the AEPD establishes that this first information layer must meet the following requirements:

– The information must be made available to interested parties at the time the data is requested, prior to collection or registration.

– This obligation must be fulfilled without the need for any request, and the person responsible must be able to subsequently prove that the obligation to inform has been satisfied.

– It must be clearly identified with a title such as “Basic information on data protection”.

– The data controller must ensure that this information remains “within the field of vision” of the data subject.

– Interested parties must receive a copy that includes this basic information.

The LOPDGDD in its article 72 classifies as a VERY SERIOUS INFRINGEMENT the omission of the duty to inform the affected person about the processing of their personal data in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 (RGPD).