Data Protection & GDPR Compliance

Consent in Marketing, Events, Training & HR Contexts

Why this matters

At Devoteam Portugal, we value privacy and trust. When we organize marketing campaigns, events and other activities, we often process personal data — from collecting names, emails and other personal data for registrations, to sending newsletters, sharing photos, or following up after an event.

Under the GDPR, Consent is key — and we must ensure it is clear, informed, and freely given.

What is Consent under GDPR?

Consent of a data subject means that the individual (the person whose data we’re collecting) has:

Freely given their permission
In a specific, informed, and unambiguous way
For the processing of their personal data
For a clearly defined purpose

In particular, consent must be explicit when processing special categories of data or for certain marketing purposes.

According to the GDPR, consent must be given through a statement or a clear affirmative action that signifies the data subject’s agreement to the processing of their personal data.

When is Consent Required?

✅ Situations Where Consent is Required

Marketing & Communications

Sending newsletters or promotional emails to individuals who are not existing clients or employees.
Collecting contact information through online forms for future marketing follow-ups.
Sharing personal data (e.g., names, emails) with third-party partners or sponsors after an event.
Using contact information collected for one purpose (e.g., webinar registration) to market unrelated services.

Events & Image Use

Taking and publishing photos or videos of individuals at corporate or public events (especially when used on websites, social media, or promotional materials).
Livestreaming an event where individuals might be clearly identifiable.
Using images of employees or clients in case studies, success stories, or employer branding materials.
Event registered participants follow-up (depends on the given consent at the registration).

Human Resources & Internal Communication

Collecting and storing special categories of data (e.g., health data for accommodation requests or dietary restrictions).
Sharing employee information (e.g., name, role, photo) on external channels, such as the company website or LinkedIn.
Publishing internal newsletters featuring personal stories, achievements, or interviews, if not strictly job-related.

Digital Platforms & Tools

Using tracking technologies or cookies that collect personal data for analytics or advertising.
Collecting feedback, testimonials, or recordings during online sessions, webinars, or training, if they include personal data.

❌ Situations Where Consent is Usually Not Required

HR & Employee Activities

- Internal training registration forms (employees only).
  - - Legal basis: Performance of employment contract or legitimate interest of the company.
    - Consent is not needed because the activity supports employee development within the scope of the employment relationship.
- Processing payroll and benefits data
  - - Legal basis: Legal obligation under labor or tax laws.
- Employee performance evaluations or appraisals
  - - Legal basis: Contractual necessity or legitimate interest
- Emergency contact collection
  - - Legal basis: Vital interests or legal obligation
- Monitoring access to company facilities or equipment usage (with prior notice and justification)
  - - Legal basis: Legitimate interest for security and operational continuity

Business Operations & Communications

- Sending operational emails to employees (e.g., policy updates, IT maintenance notices)
  - - Legal basis: Legitimate interest or contractual necessity
- Client contact data collection as part of a service contract
  - - Legal basis: Contractual necessity
    - As long as the data is used strictly for delivering the contracted service.
- Data processing for audit, compliance, or regulatory reporting
  - - Legal basis: Legal obligation

Internal Surveys

- Anonymous employee engagement surveys
  - - No personal data = GDPR does not apply
    - If not anonymous and personal opinions are collected, another legal basis may apply (e.g., legitimate interest with safeguards).

Consent Templates: How to Access and Use Them

To help ensure that consent is collected and managed correctly, Devoteam Portugal has developed official templates that must be used whenever applicable.

To ensure compliance with the GDPR when collecting and processing personal data in the context of marketing, events, and internal communications, Devoteam Portugal has developed official Consent Templates, available in both Portuguese and English.

Available Templates:

🔗Consent Form for Use of Image
- - For minors under 18
  - For individuals aged 18 or over
🔗Consent Form for the Processing of Personal Data – HubSpot Events
- - Applicable only to events/initiatives managed through the HubSpot platform
🔗Consent Form for the Processing of Personal Data – Boldint, S.A. (PT01) and Edotoutfit, Lda. (PT07)
- - For use in all other relevant activities involving these entities

🔓Access to these templates is restricted to authorized personnel only, to ensure proper handling, up-to-date content, and version control.

Have Questions?

If you require access or support regarding the appropriate use of these templates, reach out to Rute Reizinho (Compliance Director & DPO) at pt.compliance@devoteam.com.

This page contains important compliance-related information for Devoteam Portugal Employees and Contractors. All content is intended for internal use and must be adhered to in accordance with Devoteam's corporate standards and policies.
Last updated: 23/04/2025Author: Rute Reizinho, Compliance Director & DPO at Devoteam Portugal

Report abuse