One of our most asked questions is: “Can I process this information about my customers?” You have probably heard about the new data regulation, but you do not know what is actually being changed.
The good news is that in most cases, yes you can.
The rules of the new regulation are pretty clear. If what you do is not allowed – then it is forbidden. You must, as lawyers say, have the authority to process the information.
There are several different legal bases in the regulation – here are the two most important for ordinary companies:
- Consent: if the registrant gives his or hers consent to the treatment, you can treat the information. The consent must be voluntary, specific and unambiguous. To control the unambiguity of the consent, let a third party read the consent. If the person based on the statement do not understand what you do, the consent is not clear enough.
- Fulfillment of contract: if you have an agreement or a contract with for example a customer, you must process the information necessary to fulfill the purpose of the agreement or contract. But it is important to understand that you may only process the necessary information, you may not process all possible information about the customer.
How to use it
First you need to create an overview of which personal data your company holds and what you do with them. When you have done that, you need to consider what to do with every registration and how to treat it. The first question is whether the registration and treatment are necessary to fulfill an agreement or contract. If so, you do not need to take any further actions. If not, you need to get a consent from the registrant.
If in doubt
If you have doubts whether a particular treatment requires consent, feel free to write to us and ask at firstname.lastname@example.org. We will be pleased to provide you with our services. We try to gather concrete and practical examples, whilst we reserve the right to publish the answer anonymously. Of course, you will also get a personal answer.