I think there might be a significant difference in DPA / GDPR terms between 'Statute - a written Law passed by a legislative body' and 'statute - a rule of an organisation or body' that would make make relying on Legal Obligation tricky.
On that basis, I also doubt that the union on site can lay any automatic claim to new students' data following a public task / member state law line of reasoning. Am not particularly convinced the Legitimate Interests would cut the mustard either (even discounting the fact that a Legit Interest claim would need to be shown to have taken the rights and freedoms of the data subjects into account first).
This looks essentially like a direct marketing issue - there's no compulsion for new students to join the students' union, but the union does have an interest in attracting new members. The union wants contact details of all new students so it can approach them with details of the benefits and USPs of membership - direct marketing, basically.
Opt-in consent is looking the best option from where I'm sitting.
Owen
O Thomas
Information Governance Officer
Law & Governance
Commercial & Corporate Services Directorate Sunderland City Council
0191 5611263
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|