As we are getting closer to the practical side of processing personal data under the GDPR, firstly we need to understand the reason of processing expressed in lawful basis. The first and most discussed basis is obviously a consent. Today we will identify the nature, characteristics and features of the consent needed to process personal data in accordance with the GDPR.
Consent is one of several lawful bases the GDPR states and it requires certain steps to acquire it in the right way. If available, the experts recommend to rely on another lawful basis. However, many organisations will be left dependent just on the consent, especially in the field of direct marketing.
Term “consent”. GDPR establishes requirements which need for consent to be (I) informed, (II) freely given, (III) expressed through a clear affirmative action and (IV) clearly distinguishable from other matters. Consent would not be legally valid if it does not bear any of these characteristics, so the GDPR makes it significantly more difficult for organisations to obtain it correctly.
(I) The requirement that consent must be informed is intended to ensure the data subject understand risks associated with the processing. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing. Data subject must also be informed of the existence of all of his rights, particularly the right to withdraw consent.
Example: When you ask for consent, you must clearly explain what customer is consenting to in an easily understandable way. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in a plain language. Using double negatives or inconsistent language means invalid consent.
(II) Consent must reflect the data subject’s genuine and free choice and data subject must be able to refuse or withdraw consent without detriment. “Clear imbalance” in relation between the controller and the data subject makes consent considered as not freely given. The performance of a contract should not be made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract.
Example: Internet provider requires customers to consent to their details being shared with other providers for statistics. The provider needs customer to enter the data into contract, but sharing is not necessary for providing internet services, so it is not freely given. He may ask customers to consent to passing their data to named third parties with free choice to opt in or out.
(III) The GDPR makes it clear that consent requires a clear affirmative act by the data subject indicating agreement to the processing of personal data, such as by written or oral statement, or by electronical means. Recital 32 of the GDPR mentions ticking a box on websites, choosing technical setting for information society services or other way, which clearly indicates the acceptance of the proposed processing. The GDPR specifically recognises the validity of number of commonly used methods of collecting consent and any appropriate method can be used. Although silence, pre-ticked boxes, inactivity, failure to opt-out do not constitute valid consent.
Example: Customers are asked to participate in survey followed by the prize draw. Submitting the sheet by customer is clear affirmative act to being processed for the purposes of the survey and of the prize draw. However, this consent would not extend to using those details for marketing purposes.
(IV) Distinguishable consent is the one separated from other matters. GDPR emphasises its importance by stating that consent language inconsistent with the GDPR is non-binding. Consent cannot be wrapped up as part of a wider set of terms and conditions.
Example: If you want to acquire consent for marketing purposes, you can never use the one you obtain for entering into contract or for any other reason. It must be contained in a written declaration produced by the controller distinguishably from other matters in the declaration, intelligible, easily accessible and in a clear, plain language.
So much for the basic description of consent requirements. Next time we will speak about more ambiguous sides of consent together with our solution.