This procedure has been developed to enable effective management of consent for certain types of processing of personal data, ensuring individuals have a clear choice when providing their personal information to us.
Consent management for marketing and communication is enabled through the DataCAT application we have installed onto our website and product portals , providing self-service for Data Subjects in regards to their communication preferences, and therefore providing them a significant level of control. This also minimises the level of effort required to manage consent by us.
The following points apply to how we manage consent in line with the GDPR:
Individuals can provide their consent for us to communicate with them about our products and services through a series of clear opt in options
The means to consent is separate from any other requests on our website
We provide a clear Privacy Notice on our website when asking for consent so individuals can make informed choices about providing their consent
Only the minimum personal data is collected to enable this communication (email)
Only children over the age of 16 in the EU, or 13 in the UK, can provide valid consent, for children below this age consent can only be provided by those who hold parental responsibility
Where we suspect consent has been given by a child below the appropriate age, we will seek to verify the age of the individual (e.g. via proof of identity)
We date and time stamp when consent is given so there is a full audit trail of when consent was given
Consent can be adjusted by an individual at any point by changing their preferences on our website, or removed by contacting our Data Protection Representative
There is no time limit specified in the GDPR for retaining personal data with consent, however in line with guidance from the Information Commissioner’s Office (ICO)/supervisory authority, we will review consents every two years. The outcome of these reviews will be documented and our Privacy Notice/Data Protection Policy will be updated as required.
When an individual contacts the Data Protection Representative to request their consent is removed, the Data Protection Representative will contact the relevant Data Manager who will remove the consent and confirm this with the Data Subject via email. This will be logged by the Data Protection Representative.