GDPR/data privacy - Question
- Thread starter tiggers
- Start date
Chefren
pfm Member
It does not sound compliant with GDPR. If they absolutely need to share this data with third parties to carry out mandatory tasks, then it would not be possible to block this via a separate opt-out request either.
GDPR requires all non-mandatory uses of your personal data to be opt-in only, and pre-checked checkboxes on a web form do not count, you have to be deliberately ticking those boxes (consent given by "clear affirmative action").
GDPR requires all non-mandatory uses of your personal data to be opt-in only, and pre-checked checkboxes on a web form do not count, you have to be deliberately ticking those boxes (consent given by "clear affirmative action").
Sue Pertwee-Tyr
Accuphase all the way down
It’s rather more nuanced than that. For marketing type data sharing, you need to ‘opt in’ but for other types of data sharing there may be other bases for doing it other than ‘consent’, such as ‘legal obligation’ (eg, a statutory duty, court order, police warrant, etc), or ‘legitimate interests’ for normal, justifiable business purposes. They’ll need to share info for, as Tony says, things like credit checks and other due diligence. You can’t opt out of them. It’s generally not considered good practice to use defaults to opt-in and default opt-out is preferred, where consent is the basis for the processing.
Yes, that's the bones of it. Sharing for necessary purposes are permitted, but it should be explained to you on the form that signing will cause that sharing to happen. All secondary use (analysis, cutomer research, co-marketing with other businesses, etc.) needs an explicit opt-in.
When they say "sharing with third parties" without the purpose (like "we will provide your details to a credit reference agency for the purposes of risk assesment") it's definitely a non-essential use.
As far as I know, the GDPR rules are still in force in the UK through national legislation. Leaving the EU will have no effect on these rights until that UK legislation is repealed or changed.
When they say "sharing with third parties" without the purpose (like "we will provide your details to a credit reference agency for the purposes of risk assesment") it's definitely a non-essential use.
As far as I know, the GDPR rules are still in force in the UK through national legislation. Leaving the EU will have no effect on these rights until that UK legislation is repealed or changed.
Chefren
pfm Member
All true, but in this case there was an opt-out (by e-mail!) which strongly points to that it's not actually mandatory for them to have the data.
Sue Pertwee-Tyr
Accuphase all the way down
Yes, we now have ‘U.K. GDPR’ which is to all intents and purposes GDPR but with minor changes to wording here and there. New domestic UK data protection legislation is currently going through Parliament and the legislation is expected to come into force later this year. It will still align quite well with EU GDPR, so as not to upset the data sharing applecart.
It explicitly says 'for marketing purposes'... pretty sure they're in breach of GDPR, but I know it's nuanced so thanks all for the above.
Brian Ellis
pfm Member
Letting agents and their respective partners are well known to reciev3 commission from 3rd partys for tenant data. It's an optimal time to sell you broadband, TV, Energy taffifs, insurances etc. As marked for marketing purposes they are breaching the rules by behaving as they are. If challenged they will claim you opted in until such time you sent, they received and they acted upon your opt out mail. I imagine the data sharing with other 3rd party's would happen immediately so very quickly your data is out there. Not good at all.
Completely agree, but in this it's actually a borough council form.