Personal Consent Procedure

1. Scope

The consent of the data subject is one of the conditions for the processing of their personal data and is within the scope of this procedure. We Dig Media needs to obtain consent when no other lawful basis applies¹.

Consent of the data subject is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by clear affirmative action, signifies agreement to the processing of data relating to them”. (GDPR 2018)

Explicit consent is required for processing of any sensitive information. Specific conditions apply to the validity of consent given by children in relation to information society services, with requirements to obtain and verify parental consent below certain age limits.

2. Responsibilities
2.1 We Dig Media as a Data Processor is responsible for obtaining consent from the data subject.

3. Procedure
3.1 We Dig Media provides a clear privacy notice wherever personal data is collected (GDPR REC 4.1) to ensure that consent is informed and that the data subject is informed of their rights in relation to their data.

3.2 We Dig Media will demonstrate the Data Subjects consent to the processing of their personal data or explicit consent for sensitive data.

3.3 We Dig Media demonstrates the consent is intelligible and accessible using plain language.

3.4 We Dig Media will inform the Data Subject of their right to withdraw consent before they give consent – see Right to Withdraw Consent procedure.

3.5 Where processing relates to a child under the age of 16 We Dig Media will demonstrate that a responsible guardian has provided consent where we offer anything which targets children.

This policy was approved by the Board of Directors on 5/12/2017 and is issued on a version controlled basis under the signature of the Directors.

Note¹ What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

More information from the ICO website