Consent
Consent is not the only lawful basis for which organisations can process data. Click here for information on other forms of lawful basis.
Membership Form
You can collect consent from members to process their data via a membership form. See here for details on how to create the form, and here for how to configure the form as your membership form.
One way that you can collect consent is by using a Checkbox type field. Note: the wording in the example below is for illustrative purposes only. You should ensure that the wording that you use is appropriate for your organisation and covers your specific requirements. Click here for some good illustrative examples of wording for GDPR consent checkboxes.
If you tick the Required box on the checkbox field, then it will not be possible for the member to progress past the form (i.e. they will not be able to complete the checkout process to purchase a membership subscription for example. If you decide to make the form a required field, then you may want to include an explanation in the Description box that the member will not be able to continue with the sign up process if they do not consent to their data being processed. However, note the advice from the ICO below about consent being freely given.
You have the option to make checkbox fields default ticked (i.e. the member would need to untick the box if they do not consent). We do not recommend that you use that option for this type of consent. The ICO have provided the following advice on consent:
"Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given."
Sign In/Sign Up Page
Click here for how to insert customised text on your Sign In/Sign Up page. This can include a link to your Privacy Policy.
Note: There is not an option to insert a checkbox field on the Sign In/Sign Up Page. If a person did not tick the Consent checkbox, then they would not be able to proceed further, so it does not make sense to offer them the option to tick or not tick a box at this point in the process.
Children
The GDPR restricts the age at which data subjects can lawfully give consent. The default age is 16, but member states can adjust that limit to anywhere between 13 and 16.
If you have members who are under the age of consent, then you must ensure that consent is obtained from a person holding "parental responsibility", and you must make "reasonable efforts" to verify that the person providing that consent is indeed a parental figure.
Set out in the screenshot below is an illustrative example of how you might structure the form fields in a membership form to accommodate obtaining consent where you have both adult and junior members. The form fields are structured using:
- a multi-radio button to split the form questions into those relevant for an adult, and those for a junior
- a checkbox question for Adult Consent
- a series of questions for Junior Consent, including the checkbox consent, and fields to collect the name and relationship of the person with parental responsibility.
Click here for details on how to create multi-radio button form fields, and configure sub-questions.
Events
If you create an Open Event, or do not have a membership form, then you may want to consider adding a Consent field to your Event Form.
Consent for special categories of data
If you process any of the special categories of data, and are relying on the Consent condition for processing the data, you may want to consider having a separate explicit consent for the processing of that data.