Obtain the user's consent to request personal data
This express consent can be transferred to a web form through the implementation of check boxes that are unchecked by default, this is vital, in order to demonstrate this willingness on the part of the person to treat their personal data.
Pre-branding, silence and inactivity of the interested party do not constitute a lawful processing of data, so that these formulas should not be used.
We have talked in the previous section about specific purposes, that is to say, when someone provides their data it is necessary to detail in a clear, unequivocal and transparent way what will be the conditions of data processing.
As it is an express consent linked to a specific purpose, it is necessary to demonstrate that it has been collected following these precepts and the burden of proof falls on the organization that collects and processes this data.
An example of how we can demonstrate that we have been authorized is that each registration generates an automatic response e-mail with the data of the person requested, their IP, acceptance, date, exact time and browser used. This e-mail must be kept as a justification in case of conflict with the user.
First layer of basic information
With the requirements and principles introduced by the RGPD regarding the obligation to inform, the simple reference to the privacy policy from the web forms is no longer sufficient to comply with these obligations.
The Data Protection Authorities of the European Union recommend using a layered information model, presenting a first layer with basic information on data protection, and from this, simpler and more immediate, to a second layer with the remaining information.
The AEPD's Guide for the fulfillment of the Duty to Informestablishes that this first informative layer must meet the following requirements:
– The information must be made available to interested parties at the time the data is requested, prior to collection or registration.
– This obligation must be complied with without the need for any requirement, and the responsible party must be able to subsequently prove that the reporting obligation has been fulfilled.
– It must be clearly identified with a title such as “Basic information on data protection”.
– The person responsible for the treatment must ensure that this information remains "within the field of vision" of the interested.
– Interested parties must receive a copy of this basic information.
The LOPDGDD in its article 72 typifies as a VERY GREAT INFRACTION the omission of the duty to inform the affected party about the processing of their personal data in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 (RGPD).