Poland: New data protection regulations including consent under GDPR

Recently, Poland’s Data Protection Authority “UODO” has announced major changes in the legal basis for processing data. Therefore, consent is only the foundation for legitimate processing when there are no other legal grounds. However, if the consent is applicable, it must meet certain conditions in order to effectively constitute the basis for processing.

Only if “essential” tags are not the basis for data collection, consent can be the basis for processing personal data whilst meeting certain relevant conditions as provided by articles 4 (11) and 7 of the GDPR. 

Consent given before personal data is being processed should be explicit, specify the person giving his or her consent, show whose personal data is made available for how long and to whom, and inform about the purpose of the processing. The website owner is obliged to ensure that his activities comply with the principles governing the processing of personal data, in particular articles 5 and 7 of the GDPR.

It is crucial to remember that it is not allowed to force users to give their consent as such consent is not valid under GDPR. It should be recalled that we are dealing with forced consent when the consent clause is stated between many other points of the agreement. Forced consent also exists when a public or non-public institution performing a public task makes its activities subject to consent.

According to article 7 (3) GDPR, consent may be withdrawn at any time. The provision requires the website owner to inform the user of this right before giving his or her consent. Also, withdrawing consent must be as simple as giving it and possible in the same way.

Businesses should be particularly vigilant when it comes to their different marketing activities: While consent is not required for direct marketing, the situation changes when this form of communication is done by telephone as this is prohibited without prior consent.

It should also be noted that any model which takes advantage of the passivity, silence or carelessness of the person whose personal data is being collected or setting pre-ticked boxes is unacceptable and consent gathered in this way is considered invalid. The person giving consent has to take affirmative action, to consent to the specific processing of his or her personal data. The user has to make the decision himself and consciously make a choice. Pre-ticked boxes can be easily overseen through inattention and rush.

You want to know more about the Usercentrics CMP?

DISCLAIMER

The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department. These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.