26th - Jun - 2018

The Rights of EU Citizens Under GDPR

GDPR covers the consent to store and process personal data. This should not be confused with the consent to be communicated to. Obviously, overlap exists as you cannot communicate with someone without them having given you consent to store and process their data.

The question is, whether your customers gave you consent to store their personal data, for example their name and telephone number. If the answer is yes, then you have no issue under GDPR. If the answer is no, then you will need to seek consent. GDPR is consumer centric, so whilst enterprises that use messaging to communicate with their consumers have statutory obligations, the rights of users themselves are also explicit. This includes the right to refuse to become a data subject, which opens up the issue of consent, or informed consent.

EU Data Subject (consumers) rights extend beyond the consent phase, so once they are established and personal data is captured and stored, GDPR mandates what must happen next.

Consumers have the right:

  • To be informed (e.g. right to know how long their data will be kept)

  • To restrict processing (e.g. transparency on how data will be used)

  • To purpose specification and minimization

  • To data portability (e.g. right to move data from one provider to another)

  • To be forgotten by the data processor – the Right of Erasure

  • Not to be subject to automated decision making e.g. a loan application

Although the Data Controller is primarily responsible for ensuring the Consumer rights above are guaranteed, as a Data Processor, these rights require that all requests from a Data Controller to have a Data Subjects data reviewed, deleted or moved, must be actioned expeditiously.

An example within the enterprise messaging ecosystem is a scenario in which a banking customer insists that all historical data kept by the bank be deleted. The bank as the Data Controller should contact all their Data Processors to have this EU Data Subjects details deleted from logs etc.

This means that there are contractual obligations between Controllers and Processors. Under the current EU Data Protection Directive, only the Controller is held liable for data protection compliance, whereas GDPR places direct statutory obligations on Data Processors too.

In practical terms, GDPR requires that all companies who gather, store and use personal data – which is most companies – maintain adequate data records, disclose data breaches, and increase and simplify opt-in and opt-out options, as well as strengthening rules for data minimization, effectively restricting the wholesale harvesting of personal data where there is no real need.

The new requirements under GDPR include gathering multiple consents, and giving individuals the right to withdraw from a service. In theory all consent should be informed, so that a person must understand what they are signing up to. Yet this is not always the case. In fact, sometimes consent is deliberately confusing, with pre-ticked boxes and pages of terms and conditions.

GDPR outlaws these confusing and misleading practices, and brings more clarity. Its main goals are as follows:


Enterprises can no longer rely on a link to a Privacy Policy. Now they have to use plain English and specific words to explain why they are collecting personal data at the point they are collecting it. They must also explain how they intend to use it, and if they plan to share it with third parties (for which they will also need explicit consent).

Implied Consent Doesn’t Count

Simply signing up for some services was, in itself enough to imply consent to further uses of personal data. GDPR states clearly that silence, pre-ticked boxes or inactivity does not now constitute consent. Again, consent has to be explicit.

Bundled Consent Doesn’t Count

Consent requests must be separate from other terms and conditions. This means it only applies to services it is relevant for.

Better Access to Consent Data

Under GDPR, enterprises must keep records of what individuals consented to. This should include what they were told, as well as when and how they consented. Users must be given access to this information at any time should they request it, and have the right to delete it.

Better Protection for Children

Controllers must obtain the consent of a parent or guardian when processing the personal data of a child under the age of 16.

Need to know more? Download the full CLX Guide to GDPR and Enterprise Messaging here.

Signup for Blog Updates