DATA PROTECTION NEWS
The Article 29 Working Party (WP29), an EU advisory body on data protection and privacy, has published much awaited draft guidelines on consent under the GDPR. The guidelines clarify the requirements for obtaining and demonstrating valid consent and gives recommendations on using consent as one of the legal grounds for personal data processing, as listed in Article 6 of the GDPR.
Conditions for valid consent
The Guidelines analyse the elements of valid consent under Article 4 (11) of the GDPR, according to which consent must be freely given, specific, informed and unambiguous.
In order for consent to be considered “free”, data subjects must have free choice. The consent will not be free, if individuals feel compelled to consent or will endure negative consequences if they do not consent. Data subjects must be able to withdraw consent without detriment.
The consent will not be free in case of imbalance of power between data subject and controller, e.g. in the employer/employee relationship or where the controller is a public authority. For the majority of data processing at work the lawful basis should not be the consent of the employees.
The WP29 emphasises that if consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given as the two lawful bases for the processing of personal data, i.e. consent and contract cannot be merged and blurred.
Consent is also presumed not to be free, if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance. The WP29 warns that in case a request for consent is tied to the performance of a contract, a data subject that does not wish to give consent runs the risk to be denied services they have requested.
The consent must be given in relation to “one or more specific” purposes and that data subject must have a choice in relation to each of them.
In order to comply with the element of ‘specific’ the controller must apply:
- purpose specification as a safeguard against function creep,
- granularity in consent requests, and
- clear separation of information related to obtaining consent for data processing activities.
Obtaining valid consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity. This requirement functions as a safeguard against the gradual widening or blurring of purposes for which data is processed, after a data subject has agreed to the initial collection of the data, also known as “function creep”. If a controller processes data based on consent and wishes to process the data for a new purpose, he needs to acquire a new consent from the data subject for the new processing purpose.
According to the WP29, in order to obtain valid consent data subjects should be informed at least of about:
- the controller’s identity,
- the purpose of each of the processing operations for which consent is sought,
- what (type of) data will be collected and used,
- the existence of the right to withdraw consent,
- the use of the data for decisions based solely on automated processing, including profiling (if applicable),
- the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguard (if applicable).
When seeking consent, organizations should use clear and plain language, avoiding legal jargon and adapting the information to the targeted audience. The consent request must be separated and clearly stand out or presented in a separate document and it may not be hidden in general terms and conditions.
According to the GDPR consent requires unambiguous indication to the data subject’s wishes by a statement or by a clear affirmative action. The GDPR recitals indicate that consent can be given by a written statement, including by electronic means, or a (recorded) oral statement, as well as provide practical examples of clear affirmative action, e.g. ticking a box when visiting an internet website or choosing technical settings for information society services. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
The WP29 provides other practical examples of “clear affirmative action” through electronic means. Physical motions such as swiping on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement. In the online context consent of internet users could be obtained through browser settings that could mitigate the issue of “click fatigue”.
The GDPR requires “explicit consent” in certain situations (e.g. for processing of sensitive data, automated individual decision-making, including profiling and data transfers) imposing higher standard regarding the way consent is expressed by the data subject. An obvious way to obtain explicit consent is a written statement signed by the data subject, however, it is not the only way. In the online context, consent may be obtained by filling in an electronic form, by sending an email, by uploading a scanned document, or by using an electronic signature.
The GDPR clearly states that the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. The WP29 recommends to keep a record of consent statements received, so the controller can show how and when consent was obtained and the information provided to the data subject.
The WP29 indicates that a best practice is that consent should be refreshed at appropriate intervals.
Withdrawal of consent
The GDPR provides that data subject shall have the right to withdraw his or her consent at any time. Moreover, the controller must ensure that consent can be withdrawn by the data subject as easy as giving consent. Although it does not mean that both actions must always be done in the same way, at the same time withdrawing consent must not require undue effort. In case consent is obtained through use of a service-specific user interface (for example, via a website, an app, a log-on account, the interface of an IoT device or by e-mail), there is no doubt the data subject must be able to withdraw consent via the same electronic interface.
In cases where the data subject withdraws his/her consent and the controller wishes to continue to process the personal data on another lawful basis, they cannot silently migrate from consent (which is withdrawn) to this other lawful basis.
If consent is withdrawn, the controller must stop the processing of the data and, unless there is no other lawful basis justifying the processing, they should be deleted or anonymised. In cases where the data subject withdraws consent, the controller cannot silently migrate to the other lawful basis.
ICT Legal recommends companies to take the following practical steps to ensure that consent is a valid legal basis for processing personal data:
- Evaluate the legal basis for each personal data processing activity and to choose the consent only if there is no other legal ground for processing (e.g. performance of a contract, compliance with a legal obligation, legitimate interests of the controller)
- Review the mechanism for obtaining consent, including information provided to data subjects
- Introduce a record of consent statements received to be able to prove that criteria for a valid consent was met
- Introduce mechanisms for recording and managing withdrawal of consent
See the 29WP Guidance on Consent here
If you would like any further information or assistance
to ensure the GDPR compliance, please contact
Data Protection Officer