GDPR

Search GDPR for solutions or ask a question
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
alyseweaver

‎May 6, 2020 10:40 AM

Member

GDPR Acquisitions

SOLVE

If a person subscribes to company ABC, but ABC is acquired by company XYZ, does XYZ has the ability to email those contacts? Must they be reverified by XYZ? How do GDPR rules apply to these instances?  

Compliance
0 Upvotes
2 Accepted solutions
warrendavey
Solution
Top Contributor | Diamond Partner

‎May 6, 2020 11:09 AM

Top Contributor | Diamond Partner

GDPR Acquisitions

SOLVE

@alyseweaver - If the email addresses themselves haven't changed then you shouldn't be obligated to reverify. That would be on their end.  If the email changes then you would probably need to have them verify for any subscription as part of your normal process in adding a new email.

Non-Disclosure: I have no background in GDPR and am not authorized to provide legal advice. Please check with a legal professional in addition to these suggestions. 🙂

✔️ Was I able to help answer your question? Help the community by marking it as a solution.

Davey Waren
Pearagon

Still have questions? Let's Talk

View solution in original post

GDHutchison
Solution

‎May 6, 2020 11:48 AM

Participant

GDPR Acquisitions

SOLVE

Below are the regulations around consent from the ICO - You will need to infiorm the contacts as the controller of the data has changed and thefore consent needs to reverified.

 

What is ‘specific and informed’?

Consent needs to be specific and informed. This means it must specifically cover the following:

  • The controller’s identity: recital 42 says the individual should know the identity of the controller. This means you need to identify yourself, and also name any third party controllers who will be relying on the consent. If you buy in ‘consented’ data, that consent is only valid for your processing if you were specifically identified. You don’t need to name your processors in your consent request (although you do need to comply with separate transparency obligations).
  • The purposes of the processing: recital 43 says separate consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes, unless this would be unduly disruptive or confusing. And in every case, a consent request must specifically cover all purposes for which you seek consent.
  • The processing activities: again, where possible you should provide granular consent options for each separate type of processing, unless those activities are clearly interdependent – but as a minimum you must specifically cover all processing activities.
  • The right to withdraw consent at any time: we also advise you should include details of how to do so.

View solution in original post

2 Replies 2
GDHutchison
Solution

‎May 6, 2020 11:48 AM

Participant

GDPR Acquisitions

SOLVE

Below are the regulations around consent from the ICO - You will need to infiorm the contacts as the controller of the data has changed and thefore consent needs to reverified.

 

What is ‘specific and informed’?

Consent needs to be specific and informed. This means it must specifically cover the following:

  • The controller’s identity: recital 42 says the individual should know the identity of the controller. This means you need to identify yourself, and also name any third party controllers who will be relying on the consent. If you buy in ‘consented’ data, that consent is only valid for your processing if you were specifically identified. You don’t need to name your processors in your consent request (although you do need to comply with separate transparency obligations).
  • The purposes of the processing: recital 43 says separate consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes, unless this would be unduly disruptive or confusing. And in every case, a consent request must specifically cover all purposes for which you seek consent.
  • The processing activities: again, where possible you should provide granular consent options for each separate type of processing, unless those activities are clearly interdependent – but as a minimum you must specifically cover all processing activities.
  • The right to withdraw consent at any time: we also advise you should include details of how to do so.
warrendavey
Solution
Top Contributor | Diamond Partner

‎May 6, 2020 11:09 AM

Top Contributor | Diamond Partner

GDPR Acquisitions

SOLVE

@alyseweaver - If the email addresses themselves haven't changed then you shouldn't be obligated to reverify. That would be on their end.  If the email changes then you would probably need to have them verify for any subscription as part of your normal process in adding a new email.

Non-Disclosure: I have no background in GDPR and am not authorized to provide legal advice. Please check with a legal professional in addition to these suggestions. 🙂

✔️ Was I able to help answer your question? Help the community by marking it as a solution.

Davey Waren
Pearagon

Still have questions? Let's Talk

Sign up for the Community Newsletter

Receive Community updates and events in your inbox every Monday morning.
GDPR Acquisitions
Below are the regulations around consent from the ICO - You will need to infiorm the contacts as the controller of the data has changed and thefore consent needs to reverified.   What is ‘spec...
Below are the regulations around consent from the ICO - You will need to infiorm the contacts as the controller of the data has changed and thefore consent needs to reverified.   What is ‘spec...
Marketing
May 6, 2020