You're absolutely right Spiral. Point 7 in the JW DP policy can NOT stand in a typical GDPR Audit.
Clear consent about sharing data is a big deal in the GDPR Standard. Which is why Facebook revised its own DP Policy early this year to be clearer about what is done with data they collect (in my opinion, that's still not enough but that's another story)
GDPR definition of consent:
(11) 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
=> Article: 6, 7, 8
=> Recital: 32, 33, 38, 42, 43
=> Dossier: Consent
IT Governance goes on to give examples of lawful consent requests@
- Signing a consent statement on a paper form;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request;
- Volunteering optional information for a specific purpose (such as optional fields in a form); and
- Dropping a business card into a box.
https://www.itgovernance.eu/blog/en/gdpr-when-do-you-need-to-seek-consent/
I'm just WAITING for May 25 to come around!