GDPR Question re consent

Mitzy

I received a phone call yesterday from a company wanting me to sell tickets for a raffle they are holding for charity.
I asked them how they obtained my number & they mentioned it was from a particular company who I had never heard of.
I contacted them & they told me that I signed up for a free prize draw in January 2013 and gave consent then for my details to be passed on to third parties.

Under GDPR legislation I presumed that this was no longer permitted as I have not given further consent for them to hold my data.

Is this the case or have I misunderstood the GDPR guidelines?

dudara

If your consent was gathered appropriately in 2013, then it would still be valid under the GDPR. The question is if your consent was collected appropriately in 2013?

You can ask for evidence of your consent, or more simply, tell them that you now withdraw your consent as is your right under the GDPR.

Mitzy

Thanks for your clarification Dudara

4ensic15

You can make a Data Access request and get copies of all data they are holding on you. That should give you a copy of the original permission.

rd1izb7lvpuksx

dudara wrote: »

If your consent was gathered appropriately in 2013, then it would still be valid under the GDPR. The question is if your consent was collected appropriately in 2013?

You can ask for evidence of your consent, or more simply, tell them that you now withdraw your consent as is your right under the GDPR.

Also, if they have not sent you a marketing communication in the prior twelve months which included a way to opt-out in the previous twelve months, then the consent will no longer be valid. I'd make a complaint about one.

dudara

Damon Jolly Mullet wrote: »

Also, if they have not sent you a marketing communication in the prior twelve months which included a way to opt-out in the previous twelve months, then the consent will no longer be valid. I'd make a complaint about one.

How is that? I don’t recall hearing that one before.

kennethsmyth

dudara wrote: »

How is that? I don’t recall hearing that one before.

Yep, have dealings in that area and consent is not infinite, it needs to be as such checked and confirmed every 12 months by means of an opt out.

Additionally when collecting your consent it needs to be without influence/duress. This means shouldnt be part of a raffle eg if you give us your details and allow marketing we will put you in raffle. Its not correct to do so but nobody complains if they get into a raffle by giving details.

notharrypotter

kennethsmyth wrote: »

Yep, have dealings in that area and consent is not infinite, it needs to be as such checked and confirmed every 12 months by means of an opt out.

.

Can you link the reference please?

Seth Brundle

kennethsmyth wrote: »

Yep, have dealings in that area and consent is not infinite, it needs to be as such checked and confirmed every 12 months by means of an opt out.

Really? Where did you find this?

kennethsmyth wrote: »

Additionally when collecting your consent it needs to be without influence/duress. This means shouldnt be part of a raffle eg if you give us your details and allow marketing we will put you in raffle. Its not correct to do so but nobody complains if they get into a raffle by giving details.

Where did you get this from?
Yes, consent has to be informed and freely given, etc.
However, a company can legally run a campaign to collect potential customers who are entered into a prize draw as long as the potential customer knows that their data is being collected and processed under the various rules of the GDPR.

Riskymove

Seth Brundle wrote: »

However, a company can legally run a campaign to collect potential customers who are entered into a prize draw as long as the potential customer knows that their data is being collected and processed under the various rules of the GDPR.

I think the reference is to some companies who issued GDPR emails along the lines of

"click here to remain on our list and be entered into a draw"

Some saw this as against the spirit of GDPR

kennethsmyth

Seth Brundle wrote: »

Really? Where did you find this?

https://www.dataprotection.ie/docs/Direct-Marketing-Communications/1240.htm

Paragraph 2, yes I know this particular section relates to charities but the same applies to any marketing.

Where did you get this from?
Yes, consent has to be informed and freely given, etc.
However, a company can legally run a campaign to collect potential customers who are entered into a prize draw as long as the potential customer knows that their data is being collected and processed under the various rules of the GDPR.

Its the "freely given" aspect, if you have to allow marketing to enter draw its not freely given.

Riskymove

notharrypotter wrote: »

Can you link the reference please?

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

ICO guidance

You do not have to refresh every 12 months by any means.
However, any change to service should trigger a new consent

kennethsmyth

notharrypotter wrote: »

Can you link the reference please?

As above
https://www.dataprotection.ie/docs/Direct-Marketing-Communications/1240.htm

Relates to charities sms marketing but its also elsewhere

Riskymove

kennethsmyth wrote: »

As above
https://www.dataprotection.ie/docs/Direct-Marketing-Communications/1240.htm

Relates to charities sms marketing but its also elsewhere

what you have linked to pre-dates GDPR and is around specific legislation introduced here around direct marketing or "cold-calling"

Rossdarragh1

On a slight tangent to this I'm developing an app at the moment and in two minds as to whether including the following element in the app would leave me open to a legal challenge should something happen. From what I understand any child over 13 can download an app and be asked to state basic details like their name, age and e mail without the consent of their parents. As part of the app the child will then be notified by their club of soccer training and matches. This will be a one way notification, the app doesn't have the capacity for two way communication.

Currently parents have to be messaged by the club in order to notify children of training. Would a one way notification through the app solve this problem or would parents still need to be notified. It would be possible to simultaneously notify the parent through the app also if needs be. Obviously both parent and child would need to have the app downloaded for this to happen.

It's only an additional feature of the app so could easily leave it out if it didn't satisfy child protection/GDPR.

huskerdu

Rossdarragh1 wrote: »

On a slight tangent to this I'm developing an app at the moment and in two minds as to whether including the following element in the app would leave me open to a legal challenge should something happen. From what I understand any child over 13 can download an app and be asked to state basic details like their name, age and e mail without the consent of their parents. As part of the app the child will then be notified by their club of soccer training and matches. This will be a one way notification, the app doesn't have the capacity for two way communication.

Currently parents have to be messaged by the club in order to notify children of training. Would a one way notification through the app solve this problem or would parents still need to be notified. It would be possible to simultaneously notify the parent through the app also if needs be. Obviously both parent and child would need to have the app downloaded for this to happen.

It's only an additional feature of the app so could easily leave it out if it didn't satisfy child protection/GDPR.

Wouldn't be acceptable under the child protection rules in our GAA club, but different clubs/sports may have different rules.

Child protection rules in juvenile sports have many functions.
One is to protect children from being pressured / encouraged into playing matches. The only person who decides if a child is available / allowed to play a match is the parent.

U14/U15/U16 is a minefield of players being expected to play-up for different teams and mentors trying to get players to play multiple matches in one weekend. Parents are the only people who a mentor can contact, even if its only one way communication.
Also, one way communication is useless for matches as you need to know who is actually turning up.

Rossdarragh1

Thanks for the reply. All very valid points. I was thinking that the parent and child could both use the same user profile, or the child profile could be a sub profile of the parents profile, whereby the parent would receive the notification first and allow it to be passed on to the child's sub profile at the click of a button.

Re the attendance , the user can click options in order to confirm attendance. Just trying to think of ways to make the app efficient and easy to use without compromising on Child protection guidelines and GDPR.