• Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR.
  • When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent.
  • In this podcast we spoke to Victor Corral, the Innovation project Manager of ATOS about some of the technical aspects of consent and some of the challenges that the smashHit project faces.

Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing. Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful. [1]

Businesses sometimes assume that the user’s silence means consent to data processing, or they hide a request for consent in long, legalistic, terms and conditions — that nobody reads.The user will need to give an affirmative consent before his/her data can be used by a business. Silence is no consent.Often businesses explain their privacy policies in lengthy and complicated terms. Privacy policies need to be written in a clear, straightforward language. Sometimes businesses collect and process personal data for different purposes than for the reason initially announced without informing the user about it. Businesses will be able to collect and process data only for a well-defined purpose. They will have to inform the user about new purposes for processing. [2]

The overall objective of smashHit is to assure trusted and secure sharing of data streams from personal and industrial platforms needed for sectorial and cross-sectorial services, by establishing a framework for automatic processing of data owner consent and automatic contracting, as well as joint privacy and security preserving mechanisms. Focusing on platforms with data streams coming from usage of (mass) products with cyber physical features (Cyber Physical Products – CPP) and combining them with data from other personal and industrial data platforms, (insurance data platforms, traffic data platforms).

The project will use several industrial and personal data platforms populated with data streaming from CPP and other sources as a reference for development of the Framework.

There is a short-term challenge for the Data Industry to look for an interoperable data-sharing framework to enforce and manage multi-platform agreements for exchanging data whilst protecting and assuring compliance with GDPR, Privacy and Security Policy, enforcement rules of individual data providers, national data privacy and protection rules and EU-legal directives and legislations surrounding personal and industrial data generation, storage and sharing.

In this podcast we spoke to Victor Corral, the Innovation project Manager of ATOS about some of the technical aspects of consent and some of the challenges that the smashHit project faces.

[1] A new era for data protection in the EU
[2] Guidelines 05/2020 on consent under Regulation 2016/679

Listen to the blog post here:

 

Get the pdf transcript

 

Businesses sometimes assume that the user’s silence means consent to data processing, or they hide a request for consent in long, legalistic, terms and conditions — that nobody reads. The user will need to give an affirmative consent before his/her data can be used by a business. Silence is no consent. Often businesses explain their privacy policies in lengthy and complicated terms. Privacy policies need to be written in a clear, straightforward language.

Silence is no consent.