Closed GeertThijs closed 2 years ago
Simplified objectdiagram (but with the two Censents) to illustrate the proposed solution:
This topic was discussed with Geert Thijs. In this use case it is important to assume that the DataController (already controlling the data, SDWorx in this case) has the correct rights/consents in place to provide other DataControllers (KBC in this case) with data if they can show a consent linked to it.
Meaning that it could be possible that there are two consents in place, but only one is relevant in for this use case.
Description In use case 1 Kate (the Datasubject) gives Consent (let's call it Consent1) to KBC to use her payslips for mortgage evaluation. And she gives another Consent (Consent2) to SDWorx (in the role of the outsourced HR of the company she really works for? or does she work for SDWorx?) to share her payslips for mortgage evaluation. As the GDPR requires a Consent to be specific, we have two Consents here in my opinion: one for using the payslips and one for sharing the payslips. Moreover, I doubt that this is the typical case. I would think that Kate, in the case of applying for a mortgage loan, would provide KBC with her payslips herself. It would be more interesting to describe a more typical case in stead of an exception. I also wonder how this use case 1 is handled: it is not SDWorx that asks for Consent2 here, it is KBC that (apart form asking Consent1 for using the data) asks for Consent2 and then somehow transfers it to SDWorx. And what if SDWorx indeed does the HR for the company she works for then SDWorx is only a Processor, and it's her company that should get her Consent2.
Solution Describe use case 1 with two Consents in stead of one. Or simplify the use case so that only one Consent has to be given (Consent1) as Kate herself hands over her payslips.