Determine when and how consent is to be obtained

The organization should determine and document a process by which it can demonstrate if, when and how consent for the processing of PII was obtained from... ... - Licensed content not shown -

GDPR (EU)

8.1: Article(8)(1): Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

8.2: Article(8)(2): The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

LGPD (BRA)

Art.7: The processing of personal data may only be performed in the following scenarios: I – Through the provision of consent by the data subject; II – For the compliance with legal or regulatory obligation on the part of the controller; III – By the public administration, for the processing and shared use of data deemed as necessary for the execution of public policies outlined in laws and regulations or supported by contracts, agreements, or similar instruments, following the provisions of Chapter IV of this Law; IV – To perform studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; V – When necessary for the performance of an agreement or preliminary procedures relating to an agreement to which the data subject is party, at the request of the data subject; VI – For the regular exercise of rights in court, administrative, or arbitration proceedings, considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); VII – For the protection of life or the physical safety of the data subject or third party; VIII – For the protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; (New wording included by Law No. 13,853 of 2019) IX – When necessary to meet the legitimate interests of the controller or third party, except in cases where the data subject’s fundamental rights and freedoms that require the protection of personal data prevail; X – For the protection of credit, including in relation to the provisions of relevant legislation. § 1 (Revoked). (New wording included by Law No. 13,853 of 2019) § 2 (Revoked). (New wording included by Law No. 13,853 of 2019) § 3 The processing of personal data whose access is public must consider the purpose, good faith, and public interest that justify its availability. § 4 The requirement to obtain consent outlined in the head provision of this Article is waived for in case of data made manifestly public by the data subject, preserving the data subject’s rights and the principles outlined in this Law § 5 Controller that obtain the consent referred to in item I of the head provision of this Article that need to communicate or share personal data with another controller must obtain specific consent from the data subject for this purpose, except in the consent waiver scenarios outlined in this Law. § 6 An eventual waiver of the requirement for consent does not relieve the processing agents from the other obligations outlined in this Law, especially the obligation to comply with the general principles and to guarantee the data subject’s rights. § 7 The subsequent processing of the personal data referred to in § § 3 and 4 of this Article may be carried out for new purposes, provided that the legitimate and specific purposes for the new treatment and the preservation of the rights of the holder are observed, as well as the principles and grounds set forth in this Law. (Included by Law No. 13,853 of 2019)

Art.8: The consent outlined in item I of Article 7 of this Law must be provided in writing or by another demonstrable mean that shows data subject’s expression of intention. § 1 If the consent is provided in writing, it must be contemplated in a clause separated from the other contractual clauses. § 2 The burden of proof demonstrating that the consent was obtained according to the provisions of this Law lies on the controller. § 3 The processing of personal data based on an irregular consent is prohibited. § 4 The consent must refer to determined purposes, and generic authorizations for personal data processing will be void. § 5 Consent may be revoked at any time through an express manifestation of the data subject, through an easy and free-of-charge process; it is ratified the processing performed under the consent previously given while there is no request for elimination, under the terms of item VI of this head provision of Article 8 of this Law. § 6 In case of changes to the information referred to in items I, II, III, or V of Article 9 of this Law, the controller must inform, in a specific and highlighted manner, the content of the referred amendment to the data subjects, whom, in cases in which their consent is requested, may revoke it if they disagree with the change.

Art.11: The processing of sensitive personal data may only be performed in the following scenarios: I – When the data subject or their legal guardian consents, in a specific and explicit manner, for specific purposes; II – Without the provision of the data subject’s consent, in scenarios in which it is indispensable for: a) The compliance with legal or regulatory obligation on the part of the controller; b) Shared processing of data deemed necessary for the execution, by the public administration, of public policies outlined in laws and regulations; c) In conducting studies by research organizations, ensuring, whenever possible, the anonymization of the personal data; d) The regular exercise of rights in court, administrative, or arbitration proceedings; considering that arbitration proceedings must follow the provisions of Law 9,307, dated of September 23, 1996 (Arbitration Law); e) The protection of life or the physical safety of the data subject or third party; f) The protection of health, exclusively, in procedures performed by health care professionals, health services or sanitary authorities; or (New wording included by Law No. 13,853 of 2019) g) Ensuring fraud prevention and data subject’s safety, in the identification and authentication process of registration in electronic systems, preserving the rights mentioned in Article 9 of this Law and except in cases where the data subject’s fundamental rights and freedoms require the protection of personal data prevail. § 1 The provisions of this Article apply to any processing of personal data that reveal sensitive personal data and that may cause damage to the data subject, with the exception of the provisions of specific laws. § 2 In cases when letters “a” and “b” of item II of the head provision of this Article are applied by public legal entities and bodies, the aforementioned waiver of consent under the terms of item I of the head provision of Article 23 of this Law will be disclosed. § 3 The communication or shared use of sensitive personal data between controllers with the purpose of obtaining economic advantages may be subject to prohibition or regulation by the National Data Protection Authority, consulting the public authorities’ sectorial bodies, within the scope of their powers. § 4 The communication or shared use of sensitive personal related to health between controllers with the purposes of obtaining economic advantages is prohibited, except when related to the provision of health services, pharmaceutical assistance and health care, provided that § 5 of this Article is observed, including auxiliary services of diagnosis and therapy, to the benefit of the data subjects’ interest, and to allow: (New wording included by Law No. 13,853 of 2019) I – data portability when the data subject requests; or (New wording included by Law No. 13,853 of 2019) II – the financial and administrative transactions resulting from the use and provision of the services referred to in this paragraph. (New wording included by Law No. 13,853 of 2019) § 5 The operators of private health care plans are prohibited from processing health data for the practice of risk selection in the engaging of any modality, as well as in the inclusion or exclusion of beneficiaries. (New wording included by Law No. 13,853 of 2019)

Art.14: The processing of personal data of children and teenagers must be performed on their best interest, under the terms of this Article and relevant legislation. § 1 The processing of personal data of children must be performed with the specific and explicit consent provided by at least one of the parents or legal guardian. § 2 In processing the data under the provision of § 1 of this Article, the controllers must permanently disclose all information regarding the types of collected data, the way they are used, and the procedures for the exercise of rights under Article 18 of this Law. § 3 The personal data of children may be collected without the consent referred to in § 1 of this Article when the collection is necessary to contact the parents or legal guardian, and data is used only once and without being stored, or to protect them, and in no case data may be given to third parties without the consent under the provisions of § 1 of this Article. § 4 Controllers must not require data subjects referred to § 1 of this Article to provide information in order to participate in games, internet applications, or other activities beyond those information strictly necessary for the activity. § 5 Controller must undertake all reasonable efforts to verify that the consent referred to in § 1 of this Article was provided by one of the parents or legal guardian of the children, considering available technology. § 6 The information on the processing of data referred to in this Article must be provided in a simple, clear and accessible manner, considering the physical-motor, perception, sensory, intellectual, and mental characteristics of the user, with the use of audiovisual resources when appropriate, in order to provide the necessary information to the parents or legal guardian and adequate information for the understanding of the children.

Art.33: The international transfer of personal data will only be permitted in the following cases: I – To countries or international organizations that offer a level of protection of personal data that is adequate to the protection provided in this Law; II – When the controller offers and proves guarantees of compliance with the principles, the rights of the data subject, and the data protection regime outlined in this Law, in the form of: a) Specific contractual clauses for a particular transfer; b) Standard contractual clauses; c) Binding corporate rules; d) Certificates, and codes of conduct regularly issued; III – When necessary for international legal cooperation between government intelligence, investigation, and prosecution bodies, according to instruments of international law; IV – When necessary for the protection of life or the physical safety of the data subject or third party; V – When authorized by the National Data Protection Authority; VI – When resulting from a commitment made in an international cooperation agreement; VII – When necessary for the execution of a public policy or the fulfillment of a government legal duty, being publicly disclosed under the terms of item I of the head provision of Article 23 of this Law; VIII – When the data subject has provided specific and highlighted consent for the transfer, with prior information on the international character of the operation, clearly distinguishing this from the other purposes; or IX – When necessary to answer to scenarios outlined in items II, V, and VI Article 7 of this Law. Sole Paragraph. For the purposes of item I of this Article, public legal entities referred to in the sole paragraph of Article 1 of Law. 12,527, dated of November 18, 2011 (Information Access Law), within the scope of their legal powers, and responsible individuals, within the scope of their activities, may request from the National Data Protection Authority an evaluation of the level of protection of personal data provided by a country or international organization.

CCPA (US, CA)

S.1798.115.d: (d) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to 1798.120.

S.1798.120: (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information. (d) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”

APP (Australian Privacy Principles)

APP.3.3: Must not collect sensitive information unless consent is given and unless it is reasonably necessary for, or directly related to, the entity's functions or activities...

APP.6.1: Personal information collected for a particular purpose must not be used or disclosed for another purpose unless consent is obtained (APP 6.1)

PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada

4.3.6: The form of consent sought may vary depending on the type of information and circumstances (4.3.6)

4.3.7: Individuals can give consent in a manner of ways (4.3.7)

DPP (Data Protection Principles) - Hong Kong

DPP.1: Must take all practical steps to inform a number of matters including the purpose of collection, the classes of persons who will have access to the information and rights to access and correct information and the contact information to whom such a request should be made the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data

DPP.3: Personal data must not be used for a new purpose (i.e. not previously identified) unless the consent of the data subject is obtained

Personal Data (Privacy) Ordinance - Hong Kong

S.30: Matching procedures cannot be undertaken without the consent of all relevant data subjects or the Commissioner

S.35E: Must not use personal data for marketing without data subject's consent (S.35E)

Personal Data Protection Act - Singapore

S.18: Collection, use and/or disclosure of personal data must be reasonable in the circumstances and the individual must be informed of the purposes for collection, use and disclosure

S.20: Must inform the individual of the purposes for collection, use and/or disclosure of personal data Notification must be done on or before collection.

S.26: May only transfer personal data outside Singapore in accordance with the requirements of the Act (S.26)

Personal Information Protection Act - South Korea

A.15: Must inform the individual of specified matters including the purposes for the collection and use of the personal information (A.15)

A.22: When obtaining consent, must present the request in a clear manner, including setting out each matter requiring consent separately and getting consent for each of those matters

A.23: Must not process sensitive information except where individual consents to processing or where the law permits it (A.23)

Turkish Data Protection Law numbered 6698

A.5: Personal data cannot be processed without the explicit consent of the data subject unless the one of legitimate purposes exists (A.5.2)

A.8: Unless approved conditions apply, personal data cannot be transferred without explicit consent of the data subject (A.8)

A.9: Personal data may only be transferred abroad without explicit consent if (i) sufficient protection is provided in the foreign country where the data is to be transferred, or (ii) the data controller in Turkey and in the related foreign country must guarantee a sufficient protection in writing and the Data Protection Board has authorized such transfer, where sufficient protection is not provided