BrochuresCartoon

Amberhawk
COURSES (BCS/ISEB)
follow link for detail

Data Protection Training

London: Foundation
4, 5 & 6 July

Leeds: Practitioner
Starts June 6

London: Practitioner
Starts July 11

FOI Training
London: Practitioner
Starts Oct 11

Information Security Management Training (CISMP)
London: Foundation
Starts Nov 27

Training/Update/Events
Update: Nov 20
GDPR: July 24
PIA: Sept 11
DP Audit: Sept 18

Amberhawk

« Has President Trump’s Executive Order on “Public Safety” killed off Privacy Shield? | Main | UK’s GDPR law will not be judged “adequate” if it contains provisions that made the DPA inadequate »

07/03/2017

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The guidance is good in places, such as emphasising that consent might not be the right legal basis, but it also contradicts the law in places and is misleading by using so many marketing examples.

Given e-privacy law applies a more specific layer of rules over GDPR, when it comes to marketing, you will only actually need opt-in consent where you cold call or cold email individuals and where you want to sell / pass on details to a third party.

You will be able to mail people using legitimate interests, contact your own customers electronically using the soft opt-in, and B2B marketing doesn't require consent. So the example of the business card in a fish bowl to win a prize is incorrect in stating that the contact details on the card can't be used for marketing. (Clearly you should be transparent re uses of the data.)

The guidance also uses marketing examples when discussing the need for explicit consent, which as we all know is only required for sensitive data (and is one ground for automated decision making as per art 22). So why use a marketing example?

I urge people to respond to the consultation not only on these points but to provide real-world examples of processing done by businesses on the basis of consent, so they can stop constantly using marketing examples!

If you allow personal data (online activity) to be passed to another data controller, (e.g. by embedding third-party sub-resources which access terminal storage) in your website, you already need opt-in consent under the ePD, and there is no exception defined there for a legitimate interest basis.

The comments to this entry are closed.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.