gdpr数据处理_关于GDPR下数据同意的知识

gdpr数据处理

The European Union’s General Data Protection Regulation (GDPR) provides unprecedented levels of control to consumers and how they manage their data. Not only do consumers in the European Union now have the right to provide and revoke consent regarding the collection, use, and storage of their data, but they also have the right to be forgotten.

欧盟的通用数据保护条例(GDPR)为消费者以及他们如何管理数据提供了前所未有的控制水平。 现在，欧盟的消费者不仅有权就其数据的收集，使用和存储提供和撤销同意，而且还有权被遗忘。

Greater consumer control coupled with restrictions on how companies can use the information collected all converge to create a data collection minefield that American tech companies must navigate to avoid fines and remain competitive. What makes it difficult is that the EU guidance to date has been painting broad strokes, whereas companies have detailed real-world issues to deal with daily. Companies will have to make judgment calls about how to implement what GDPR says. Still, there are some basics regarding data consent that all companies should keep in mind. Here’s what you need to know. This post covers consent, but a business may have other lawful bases for processing personal data besides consent.

更高的消费者控制力以及对公司如何使用收集到的信息的限制，所有这些趋于一致，共同创建了一个数据收集雷区，美国科技公司必须导航该雷区以避免罚款并保持竞争力。 迄今为止，欧盟的指南一直在画大招，而公司却每天都要处理详细的现实问题，这是很困难的。 公司将不得不就如何实施GDPR所说的做出判断。 尽管如此，所有公司都应牢记一些有关数据同意的基础知识。 这是您需要知道的。 这篇文章涵盖了同意书，但是除了同意书之外，企业可能还有其他合法依据来处理个人数据。

与GDPR指南相关的同意书的不同特征 (The Different Characteristics of Consent Related to the GDPR Guidelines)

One of the most complicated aspects of navigating consumer consent under the GDPR is that there are many different characteristics of consent to consider. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes.” Consent must be expressed “by a statement or by a clear affirmative action.”

在GDPR下导航消费者同意书最复杂的方面之一是要考虑的同意书有许多不同的特征。 GDPR将同意定义为“任何自由给出，明确，知情且明确表明数据主体意愿的信息。” 同意必须“通过声明或明确的肯定行动来表达”。

同意的特征 (Characteristics of Consent)

To expand on the characteristics consent should have, consent should be freely given. Requiring consent on a take-it-or-leave-it basis creates a risk that consent may not be free. Companies interested in requiring consent on that basis will need to make careful judgments about what they can do in light of the law.

为了扩大同意应具有的特征，应自由给予同意。 以“接受”或“离开”为基础要求同意会产生同意可能并非免费的风险。 有兴趣在此基础上寻求同意的公司将需要根据法律仔细判断他们可以做什么。

Consent must be on a specific basis. The request for consent can’t be so vague as to not clearly describe what is being asked. Moreover, consent must be informed. The company must provide enough information in a disclosure so the individual can understand what he or she is consenting to.

同意必须基于特定的原则。 同意请求不能含糊不清，不能清楚地描述所要提出的要求。 此外，必须征得同意。 公司必须在披露中提供足够的信息，以便个人可以理解他或她的同意。

The action to be taken to consent must be unambiguous. The individual should understand what actions will demonstrate consent and must, in fact, undertake those actions. It must be clear from the actions taken that consent is what the individual intends. For instance, the company can word requests for consent to clarify what actions will constitute consent.

必须采取的同意行动必须明确。 个人应了解哪些行动将表明同意，并且实际上必须采取这些行动。 从所采取的行动中必须清楚，同意是个人的意图。 例如，公司可以用措辞征求同意，以阐明哪些行为将构成同意。

Finally, the consent must be stated or the individual must take affirmative action. For example, when a customer ticks a box that says, “I agree to receive emails regarding special offers from third-party partners,” this is affirmative action. Having pre-checked boxes saying yes, and requiring an individual to uncheck the box to say no is not sufficient.

最后，必须声明同意或个人必须采取平权行动。 例如，当客户在“我同意接收来自第三方合作伙伴的特殊优惠的电子邮件”框上打钩时，这就是肯定的措施。 预先选中“是”的框并要求个人取消选中“不”框是不够的。

Implied consent can satisfy the requirements for consent, as long as it is unambiguous. Implied consent occurs when an individual provides permission-based on actions instead of words. For instance, a website may include a notice on a sign-up form that says, “The information submitted on this form may be shared with our third-party partners to match you with offers that are right for you.” If consumer proceeds and completes the sign-up form, the consumer has provided implied consent to have the personal data submitted shared with those third-party partners.

暗示同意可以满足同意的要求，只要它是明确的即可。 当个人基于行为而不是言语提供许可时，就会发生暗示同意。 例如，一个网站可能在注册表单上包含一个通知，上面写着：“此表单上提交的信息可能会与我们的第三方合作伙伴共享，以使您获得适合您的报价。” 如果消费者继续进行并填写了注册表格，则表明用户已隐含同意将提交的个人数据与这些第三方合作伙伴共享。

Another example is when an individual hands a card to a vendor at a trade show. The implication is that the individual consents to further communication.

另一个例子是当个人在贸易展览会上将卡片交给卖方时。 暗示是个人同意进一步沟通。

附加特征 (Additional Characteristics)

The GDPR specifically states that consent should be unambiguous. Here are some additional characteristics to keep in mind when it comes to consent and what counts as unambiguous under GDPR requirements:

GDPR特别声明同意必须明确。 关于同意以及GDPR要求中明确规定的内容，还有一些其他要牢记的特征：

• Transparency Is Necessary To Prove Consent: For notices to meet transparency requirements, they must be written in a way that is clear and easy to understand. Additionally, all intended uses for the data must be outlined.

  必须证明透明性：满足透明度要求的通知，必须以清晰易懂的方式编写。 此外，必须概述数据的所有预期用途。

• Consent Should Be As Easily Given as Retracted: Companies should ensure that the process for opting out of certain data uses or rejecting or withdrawing consent altogether should be as easy as it was to initially provide consent or opt-in.

  同意应尽可能容易地被撤回：公司应确保选择退出某些数据使用或拒绝或撤回同意的过程应与最初提供同意或加入的过程一样容易。

• There Should Be No Unfair Terms Included in the Consent Document: Unfair terms refer to any inclusions that put the user at a disadvantage if they do not provide consent or abide by a company’s preferences.

  同意书中不应包含任何不公平条款：不公平条款是指如果用户未表示同意或未遵守公司偏好，则可能使用户处于不利地位的任何内含物。

• Consent Must Be Freely Given: Consent is only considered “freely given” if the consumer is able to decline without detriment. There should not be a penalty for revoking consent. This is closely related to the requirement to ensure terms are fair.

  必须免费给予同意：只有在消费者能够无损拒绝的情况下，才将同意视为“免费给予”。 撤销同意不应受到惩罚。 这与确保条款公平有关。

• Consent Must Be Informed: Consent is only considered “informed” if the consumer knew about data collection, how it will be used and who the collector is. This is closely related to the requirement to ensure transparency.

  必须知情同意：只有在消费者了解数据收集，如何使用以及收集者是谁的情况下，同意才被视为“知情”。 这与确保透明度的要求紧密相关。

• Consumer Must Meet Age of Consent Requirements: The default age of consent for data protection purposes is 16, but some GDPR member states have lowered the age through national laws.

  消费者必须符合同意年龄要求：出于数据保护目的，默认同意年龄为16岁，但是某些GDPR成员国已通过国家法律降低了同意年龄。

Keep in mind that where personal data being collected falls within special categories of sensitive personal data, consent must be explicit. In that case, there must be clear statements from the controller (collecting party) what personal data are being collected and how they will be used, and there must be a clear affirmative statement from the individual that the individual consents to the collection and use. Implied consent is not enough.

请记住，如果收集的个人数据属于敏感个人数据的特殊类别，则必须明确表示同意。 在这种情况下，必须有主管(收集方)的明确声明，说明正在收集什么个人数据以及将如何使用它们，并且个人必须有明确的肯定声明，即个人同意收集和使用。 默示同意还不够。

美国公司的特殊同意注意事项 (Special Consent Considerations for US-Based Companies)

Many tech companies in America may wonder about GDPR requirements for U.S. companies when it comes to consent. CNBC reminds American companies that U.S. companies covered by GDPR are not exempted just because they are located in the U.S. American falling within GDPR and relying on consent should at least have a basic form and record-keeping mechanism for capturing consent for data use purposes, while following all the GDPR guidelines.

在同意的情况下，美国的许多科技公司可能会对美国公司对GDPR的要求感到疑惑。 CNBC 提醒美国公司 ，仅因GDPR所涵盖的美国公司位于美国境内而不在GDPR之内，并且仅依赖同意书，才应获得豁免，而至少应具有一种基本形式和记录保存机制来获取同意以用于数据使用。遵守所有GDPR指南。

So far, one U.S.-based company has learned this the hard way. Forbes notes that earlier this year, France fined Google a whopping €50 million (US $56,632,500) for lack of valid consent, lack of transparency and inadequate information disclosure related to their personalized ad services.

到目前为止，一家美国公司已经学到了这一困难的方法。 《福布斯》指出，今年早些时候，法国因未获得有效同意，缺乏透明度以及与个性化广告服务相关的信息披露不足而对Google处以5000万欧元 (合56,632,500美元)的罚款 。

如何使用根据GDPR限制收集的个人数据 (How To Use Personal Data Collected Under GDPR Restrictions)

So, how can U.S. companies collect and use data while remaining GDPR compliant and avoiding large fines? The first obvious step is identifying circumstances in which they must rely on consent. Second, if consent is necessary, they must legitimately obtain consumer consent in a way that is easy to understand and that makes all intended uses crystal clear.

那么，美国公司如何在保持GDPR规定并避免巨额罚款的同时收集和使用数据？ 显而易见的第一步是确定他们必须依靠同意的情况。 其次，如果必须征得同意，则他们必须以一种易于理解的方式合法地获得消费者的同意，并使所有预期的用途清晰明了。

Thereafter, data should be processed, used and stored in direct accordance with how individuals were advised it would be. If the business is collecting personal data within defined special categories under GDPR, consent must be explicit and the more care companies should take to secure consent in the most explicit terms.

此后，应直接按照建议个人的方式处理，使用和存储数据。 如果企业要在GDPR规定的特殊类别下收集个人数据，则必须明确表示同意，并且公司应更加谨慎地以最明确的方式获得同意。

人工智能和机器人公司面临的同意问题 (Consent Issues Faced by AI and Robotics Companies)

AI and robotics companies face particular consent issues. For instance, in the U.S., two companies are being accused of obtaining datasets of photos without user consents for purposes of training AI algorithms used for facial recognition. A class action complaint against Clarifai, Inc. claims that some of the company’s investors, founders of the OkCupid dating site, diverted a copy of the company’s database of face photographs to Clarifai to help train its algorithms.

人工智能和机器人公司面临特殊的同意问题。 例如，在美国，两家公司被指控未经用户同意就获取照片数据集，目的是训练用于面部识别的AI算法。 针对Clarifai，Inc.的集体诉讼投诉称，该公司的某些投资者(OkCupid约会网站的创始人)将公司面部照片数据库的副本转移给了Clarifai，以帮助培训其算法。

Another class action complaint against IBM contends that IBM obtained Flickr photographs of faces in a deal with Yahoo. Both cases show the risks involved in obtaining data sets used for training purposes. Companies looking to train their algorithms should consider whether to obtain consent or requiring the source of their datasets to obtain that consent. Users would receive a notice of the new use and would have an opportunity to opt-out. GDPR would require a new opt-in for individuals in European Economic Area countries.

另一起针对IBM的集体诉讼投诉认为，IBM通过与Yahoo的交易获得了Flickr的面部照片。 两种情况都显示了获取用于培训目的的数据集所涉及的风险。 希望对其算法进行培训的公司应考虑是要获得同意还是需要其数据集的来源来获得该同意。 用户将收到有关新用途的通知，并有机会选择退出。 GDPR将要求欧洲经济区国家的个人重新加入。

Likewise, robots collecting video and audio raise privacy and consent issues. For instance, a security robot roaming a shopping mall may be collecting video and audio, and the operator is not able to put an agreement in front of all shoppers entering the mall to obtain consent. Consequently, they may want to provide notice signs near the entrance of buildings to provide notice of the recording, similar to warning signs for stationary video cameras, to set up an argument that, following such notice, shoppers proceeding in the mail are impliedly consenting to the recording.

同样，收集视频和音频的机器人也会引起隐私和同意问题。 例如，漫游在购物中心的安全机器人可能正在收集视频和音频，并且操作员无法在进入购物中心以获得同意的所有购物者面前达成协议。 因此，他们可能希望在建筑物入口附近提供通知标志，以提供记录的通知，类似于固定摄像机的警告标志，以提出这样的论据，即在收到通知后，购物者隐含地同意录音。

Stephen S. Wu is a shareholder with Silicon Valley Law Group in San Jose, California. He advises clients on a wide range of issues, including transactions, compliance, liability, security, and privacy matters regarding the latest technologies in areas such as robotics, artificial intelligence, automated transportation, the Internet of Things, and Big Data. He has authored or co-authored several books, book chapters, and articles and is a frequent speaker on advanced technology and data protection legal topics.

Stephen S. Wu是位于加利福尼亚州圣何塞的硅谷法律集团的股东。 他为客户提供广泛的建议，包括有关机器人技术，人工智能，自动运输，物联网和大数据等领域最新技术的交易，合规性，责任，安全性和隐私问题。 他已经撰写或合着了多本书，书籍章节和文章，并且经常就先进技术和数据保护法律主题发表演讲。

Follow him on Twitter and LinkedIn.

在Twitter和LinkedIn上关注他。

Originally published at https://www.airoboticslaw.com.

最初发布在 https://www.airoboticslaw.com上 。

翻译自: https://medium.com/swlh/what-to-know-about-data-consent-under-gdpr-88477f300cf4

gdpr数据处理