AAU must always process personal data in accordance with the General Data Protection Regulation (GDPR). Consent is one of the lawful bases required in order to process personal data.
If consent is the lawful basis for processing, consent must always be voluntary, specific, informed and unambiguous. If the processing involves sensitive personal data, the consent must also be explicit.
Consent must be voluntary; this means that data subjects must be given a true choice. If withholding or withdrawing consent causes damage to data subjects, the consent is not considered voluntary.
Consent must be specific; this means that data subjects must be informed of which of their personal data are to be processed and by whom.
Consent must be informed; this means that data subjects must be provided sufficient information on the processing of their personal data to be able to assess whether they wish to give their consent.
Consent must be unambiguous; this means that data subjects must give their consent through an affirmative act, such as by giving an oral or written statement.
If the processing involves sensitive personal data, the consent must be explicit. This makes the requirements to how consent is given more rigorous.
In order for consent to be valid, data subjects must be informed that their consent may be withdrawn. You must make sure that procedures are in place for the withdrawal and erasure of data.
If existing consent does not meet the new requirements of the GDPR, data subjects must give their consent again by 25 May 2018.
2.1 formal requirements
In addition to the formal requirements for consent, the GDPR stipulates requirements for how we communicate with data subjects, and this also affects the way in which we collect consent.
As a general rule, we must ensure that our communication with data subjects is brief, transparent, simple and accessible, and we must always use clear and simple language.
2.2 Documentation requirements imposed on AAU
AAU must be able to prove that consent is collected in accordance with the above requirements.
The required documentation for consent may be ensured by saving consent forms or by technically arranging for IT systems to only be able to collect personal data after consent has been given.
3 How to use the consent form template
If you use the consent form template, the consent given will be valid in accordance with the General Data Protection Regulation, article 6(1)(a), article 7 and article 9(2)(a).
If you use the consent form template, you must always make a specific assessment of the situation. The fields concerning external recipients must be deleted if no personal data will be processed by external parties.
The yellow fields must be filled in according to the situation in question. Please note that the examples provided in the template are not exhaustive.
3.1 Fill in the yellow fields of the template
When filling in the reasons for processing the data subject’s personal data, remember to do so in a way that is clear, simple and easy to understand – the data subject must have no doubts as to why AAU will be processing their personal data.
You must include your contact details – the contact details of those who collect the consent/those who will be processing the data subject’s personal data based on the consent.
Please provide a brief description of the purposes of the processing; remember to use clear and simple language. Please note that ‘processing’ include: collection, registration, systematisation, aggregation of data, disclosure, deletion, etc. Provide a clear and specific description, for example: ‘AAU will process your personal data for issuing your access card, and AAU will register your work address on the grounds that AAU is entitled to know who may access AAU buildings outside office hours.’
CATEGORIES OF PERSONAL DATA
Please specify which categories of personal data AAU will be processing. This applies to all personal data categories: general, confidential and sensitive personal data. Examples of personal data categories: name, address, contact details, close family and data relating to education.
Please specify the period during which the data will be processed and stored. This period must be defined by when we delete personal data. Please note that anonyminisation and storage in the Danish National Archives constitute deletion. Please make yourself familiar with the rules applying to the deletion of personal data.
Provide a description of why external parties must gain access to personal data and disclose the identities of these external parties.