It Is Not Always Necessary to Get User Consent Under the New GDPR Regulation

This article is for those businesses that serve customers in the European Union. This article explains why you should not always ask the customer for his permission to process personal data.

In May 2018, Europe is switching to the updated rules of the processing of personal data, established under the General Data Protection Regulation – GDPR.

The document concerns everyone who sells goods and services on the territory of the European Union.

Administrative fines of up to 20,000,000 EUR or 4% of annual global revenue are planned for those violating new rules. Therefore, there is a lot of talk about GDPR. Most “advisors” often give an ostensibly universal tip: “You should always get user consent to process his personal data.”

However, is it always necessary to get the data subject’s consent to the processing of personal data? No. At least – not always.

We are used to considering obtaining the user consent as the only possible basis for data processing. However, this is not true. It is necessary to perceive it as a separate legal basis, just as one of the grounds.

Processing of personal data is lawful only if it is made by the principles of Article 5 and based on one of the four provisions of Article 6 GDPR.

Even though the word “consent” is found 72 times throughout the GDPR text, this is just one of the groundsbases of processing personal data and not more.

It is important to determine the legal basis correctly.

Article 6.1 (GDPR) states that processing shall be lawful only if and to the extent that at least one of the following applies:

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. Processing is necessary for the performance of (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by David Balaban. Read the original post at:

Secure Coding Practices