Is it sufficient for an employee to mark in a CRM system that a person has consented to receiving a commercial offer?

ANSWER

Under Article 5(2) GDPR, the controller is responsible for compliance with the provisions and must be able to demonstrate such compliance (the accountability principle). Furthermore, under Article 7(1) GDPR, where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their personal data.

Where consents are obtained by telephone, the most common approach is to record the call, as the recording will constitute evidence for the controller and will make it possible to demonstrate that the data subject genuinely gave such consent. An employee merely marking consent in the CRM may be regarded as insufficient to demonstrate that consent was genuinely given. It is therefore recommended to record calls where consents are collected in that form, or via email — electronically. This will constitute safeguards for the controller.