Never underestimate the kind of mess lawyers can think up. I know of a big organisation providing all kinds of services. I was involved from the sidelines in GDPRing a small part of a very unimportant and almost forgotten service of them.
My personal guess was they wouldn't need consent, as it was a clear-cut case where all requested data was clearly needed to provide the service. And asking for consent to use the data a customer just typed in the site for requesting the service seems a sure-fire way to annoy them without any upside.
Then the GDPR lawyers came.
It turns out, if you interpret the company charter in a very nasty but still legal way, there might be a very rare edge cases where a service was provided to someone who was not strictly 100% a customer. Yeah, I'm a bit vague here, sorry about that.
To be clear: No real-life example was found now or in the 10+ year history records of the service, both the almost-but-not-quite customer and the company would have to do insane things, and service delivered in the case was almost non-existant, but theoretically, on paper, it was possible. I'm pretty sure nobody would care if it happened, either.
People keep going to consent, but I'm pretty sure in many cases they're wrong to do so.
> Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
and the ICO guidance is
> Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
Even when consent is given, the users interests still have to be considered during processing, so it's not like it's a do-whatever-you-like card. Just because a user says they consent to you doing something with their data, doesn't necessarily mean you can if that thing is obviously not in their interests.
I wish the fact that consent is only a weak basis under GDPR were made more clear, since if we just end up with an internet that requires consent on every site then the law has just made things worse and made nothing better.
This sort of thing seems to happen a lot. Legal departments are responsible for making sure the company doesn't get sued, and are not really responsible for working towards company success. So Legal's arse gets covered by denying absolutely everything that they don't believe is guaranteed legal, and the company loses business because things become unreasonable. I think legal should instead be more risk management, working for the benefit of the company to manage the legal risk rather than minimize it, and stay within ethical boundaries. It already is risk management, since all legal departments have to work with are their opinions and not facts about how future rulings will go, so it is just a case of accepting it. In the above example, it seems like that didn't happen, with lawyers creating a wall of red tape costing money and annoying customers, instead of realizing the risk was minimal, and if they were at all competent they could easily argue their case even if the low risk event occurred.
And it is even more insane blindly accepting this sort of advice with GDPR, worrying about getting sued for for theoretical edge cases when the first round of warnings haven't even gone out to the worst offenders yet.
It doesn't matter if you need the data to provide the service, you still need to ask for consent for any personal data - and personal data is defined extremely broadly.
My personal guess was they wouldn't need consent, as it was a clear-cut case where all requested data was clearly needed to provide the service. And asking for consent to use the data a customer just typed in the site for requesting the service seems a sure-fire way to annoy them without any upside.
Then the GDPR lawyers came.
It turns out, if you interpret the company charter in a very nasty but still legal way, there might be a very rare edge cases where a service was provided to someone who was not strictly 100% a customer. Yeah, I'm a bit vague here, sorry about that.
To be clear: No real-life example was found now or in the 10+ year history records of the service, both the almost-but-not-quite customer and the company would have to do insane things, and service delivered in the case was almost non-existant, but theoretically, on paper, it was possible. I'm pretty sure nobody would care if it happened, either.
So boom goes our legal base. Consent it is,then.