MRFELEVENPLUSTUITION LTD
1. Scope
The consent of the data subject is one of the conditions for the processing of his or her personal data and is within the scope of this procedure. MRFELEVENPLUSTUITION LTD needs to obtain consent when no other lawful basis applies.
Consent of the data subject is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Explicit consent is required for the processing of sensitive personal data. Specific conditions apply to the validity of consent given by children in relation to information society services, with requirements to obtain and verify parental consent below certain age limits.
2. Responsibilities
2.1 As a data controller, MRFELEVENPLUSTUITION LTD is responsible under the GDPR for obtaining consent from the data subject under advisement from Data Protection Officer / GDPR Owner.
3. Consent procedure
3.1 MRFELEVENPLUSTUITION LTD provides a clear privacy notice wherever personal data is collected to ensure that consent is informed and that the data subject is informed of their rights in relation to their personal data.
3.2 MRFELEVENPLUSTUITION LTD demonstrates data subject(s) consent to the processing of his or her personal data or explicit consent for sensitive personal data.
3.3 MRFELEVENPLUSTUITION LTD demonstrates data subject(s) consent to the processing of his or her personal data for one or more specific purposes.
3.4 MRFELEVENPLUSTUITION LTD demonstrates data subject(s) consent is clearly distinguishable from any other matter relating to the data subject.
3.5 MRFELEVENPLUSTUITION LTD demonstrates data subject(s) consent is intelligible and accessible using clear and plain language.
3.6 MRFELEVENPLUSTUITION LTD demonstrates data subject(s) are informed of their right to withdraw consent before giving consent.
3.7 MRFELEVENPLUSTUITION LTD demonstrates processing of data is limited to that stated in the contract, bound by the explicit consent given by the data subject.
4. Child consent procedure
4.1 Where processing relates to a child under 16 years old[A1] , MRFELEVENPLUSTUITION LTD demonstrates that consent has been provided by the person who is the holder of parental responsibility over the child in instances where MRFELEVENPLUSTUITION LTD offers services online targeting children[A2] .
4.2 MRFELEVENPLUSTUITION LTD demonstrates reasonable efforts have been made to verify the age of the child and establish the authenticity of the parental responsibility taking into consideration available technology[A3] .
Document Owner and Approval
The Company Director is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the GDPR.
A current version of this document is available to specified members of staff on the corporate website and is published on paper to relevant data subjects.
This procedure was approved by the Data Protection Officer / GDPR Owner on 23/05/18 and is issued on a version controlled basis under his signature.
Signature: Date:
Change History Record
Issue
Description of Change
Approval
Date of Issue
Initial issue
<Director>
23/05/18
[A1]Member States may provide by Law for a lower age but not below the age of 13 years.
The ICO have published guidance ‘GDPR Consent Guidance for Consultation’ here [A2] https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp187_en.pdf
[A3]If you choose to rely on children’s consent, you will need to implement age-verification measures, and make ‘reasonable efforts’ to verify parental responsibility for those under the relevant age.