Globalization Specialist for Korean Startups

5 GDPR Consent rules you need to follow


1. CONSENT REQUIRES A POSITIVE OPT-IN.

Recital 32:
“Silence, pre-ticked boxes or inactivity should not constitute consent.”

2. EASY CONSENT WITHDRAWAL IS REQUIRED

Article 7(3):
“The data subject shall have the right to withdraw his or her consent at any time. (…) It shall be as easy to withdraw as to give consent.”

3. KEEP CONSENT REQUESTS AND OTHER TERMS & CONDITIONS SEPARATE.

Under GDPR, email consent needs to be separate.

Article 7(4):
“When assessing whether consent is freely given, utmost
account shall be taken of whether… the performance of a
contract, including the provision of a service, is conditional on
consent to the processing of personal data that is not
necessary for the performance of that contract.”

4. WHO, WHEN, HOW! AND KEEP EVIDENCE OF CONSENT.

Article 7 (1):
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

Who consented
When they consented
What they were told at the time of consent
How they consented (e.g., during checkout, via Facebook form, etc.)
Whether they have withdrawn consent

5. CHECK EXISTING CONSENTS.
Recital 171:
“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”

GDPR does not only apply to signups that happen after May 25th, it applies to all existing EU subscribers on your email list.