“Article 6(1)(f) gives you a lawful basis for processing where:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
If Agencies are using the Legitimate Interest method of processing, they need to record that they have informed the individual that their data is being processed using this method. Best practice might be to send individuals a link to their privacy policy. This would cover the Legitimate Interest approach, the user’s Right to be Informed and can include details on the user’s Right to Object.
Using Adapt to send details of your Privacy Policy and recording the Processing Method.
Use the ‘Consent/Permission Request’ workflow, which is accessible from the GDPR shortcut icon, GDPR & Checks page on a person record or from the batch menu in Saved Results.
Selecting Privacy Policy under Permission Type enables users to send details of their privacy policy to individuals and records this in the Adapt Journal. Users can also record the fact (and 'Permission' date) that the user has been informed they are being processed under Legitimate Interest by selecting Legitimate Interest from the Other Processing Method here.
Using these two fields in this one workflow, the Adapt system could be used to 'batch' inform Candidates that they are being processed under Legitimate Interest, send a link to the Agency's privacy policy (which states this) and record all this in Adapt. Users can then Search or Report on the reason code 'Legitimate Interest' to check which Individuals have been informed.
Select the activity Consent/Permission Request
Choose the Permission Type of Privacy Policy:
This will generate a different email template which users should edit to paste a link to a URL containing their privacy policy (perhaps held on their website):
Note: Using the Permission Type of Other, will generate a blank email for editing.
Choose the Other Processing Method reason code from :
Contract
Legal Obligation
Legitimate Interest
Public Task
Vital Interest
Note: When the user selects a value from Other Processing Method, any 'Consent' part of the workflow request will not be saved and an error message will be displayed: "Consent details will not be saved when other processing method is selected".
Choosing Legitimate Interest from Other Processing Method will record the fact that the user has been processed using Legitimate Interest.
When the Other Processing Method is used, a 'Permission Recorded' date is captured. This will be recorded on the GDPR & Checks page of the Candidate record, along with the 'Data Being Processed Under' reason code and Permission Type. This enables users are able to search and report on the processing method in date order.
The 'Permission (Recorded) Date' (not to be confused with the existing Recorded Date) has been added to the selectable metrics for Candidate and Contact Consent widgets of the Consent Dashboard.
If the user has saved a copy of their privacy policy in the Office record, this can be sent as an attachment to either email (make sure the email text is edited to reflect this).
Ensure any documents required e.g. Privacy Policy are saved in the Office record of the Adapt user. This will ensure they are attached when the activity is run. Any documents not required on this request can be removed. Select the document in the ‘Consent Request Documents’ window, and the delete icon will appear allowing you to remove it. Note: Please contact your Erecruit representative to save these documents for you.
Add any notes if required and Confirm.
Batch Consent/Permission Request
The Consent/Permission Request workflow can be run in Batch for multiple Candidates or Contacts from Contact or Candidate saved search results:
Recording Other Processing Methods in Adapt
If an Agency has chosen another method of sharing their privacy policy and informing an individual they have been processed under Legitimate Interest or another processing method, they can record this in Adapt to help with GDPR searching and reporting.
Use the Record Permission workflow run from the GDPR shortcut icon or GDPR & Checks Compliance page on a person record:
Using the OTHER PROCESSING METHOD section, select the reason code such as Legitimate Interest from the ‘Person informed if data is being held under Legitimate Interest?’ field:
If this field is updated when using the 'Other Processing Method' section in this activity, the 'Permission (Recorded) Date' will be recorded or updated.
Users can record how they informed the person of their rights using the ‘Person informed how to exercise their rights?’ field. Select the reason from the dropdown menu:
Note: Agencies can record permission in any way they choose, perhaps by recording a conversation in the ‘Log a Phone Call’ workflow. For instance, “spoke to X and told him that we are processing data under legitimate interest and sent him the link to the privacy policy”.
Note: If a user uses the 'Other Processing Method' section in the Record Consent/Permission activity, the consent expiry date will be cleared out.
Audit Trail for Legitimate Interest
All Adapt GDPR workflows run are tracked in the Adapt Journal of the user and the person record, so there is a full audit trail of permission tracking and evidence of the user’s ‘Right to be Informed’:
Details will also be shown on the GDPR & Checks page of the person record.
Monitoring Consent for Legitimate Interest
Running the GDPR Consent/Permission Report or using the GDPR section in searches can help users monitor permission and the method used. See the Monitoring GDPR section for more details.