IT and data

Valid consent within the framework of the General Data Protection Regulation

Published on 28th May 2018

DB_man_shield_briefcase

In accordance with the General Data Protection Regulation, consent still legitimizes the processing of personal data. However, in order to provide more protection and control over personal data, the General Data Protection Regulation has qualified the concept of consent by specifying the elements it should include in order to be considered valid.

As a result of the changes affecting the term "consent" within the framework of the General Data Protection Regulation ("GDPR"), the Article 29 Working Party – a body made up of data protection authorities from the European Union Member States – ("A29WP") has issued a number of guidelines in which it thoroughly analyses the meaning of the term "consent", with the aim of clearing up any doubts that may arise among anyone involved in processing data and having to determine the validity of the consent. Additionally, examines the additional requirements that a data controller should take into account when obtaining it. In this respect, consent will be considered valid when it a free, specific, informed and explicit declaration made through a written statement or a clear affirmative act.

To determine if the consent being granted includes these elements, this collegiate body describes and analyses each of the elements that make up the consent. Firstly, the A29WP reflects that consent can only be considered free when it gives the subject the power to choose. That is, the decision to grant or not consent is not conditional on anything or cause harm to the data subject. Likewise, this body highlights that in those cases in which a clear unbalance exists between a data controller and a subject (for instance, between an employer and an employee), it is difficult to consider that consent has been given with all the guarantees given the relationship of dependency existing between both parties. However, this does not mean that the possibility of consent to legitimize the processing of personal data does not exist within the framework of an employment relationship.

Additionally, the A29WP emphasizes the need for consent to be specific, whether it is for one or more purposes, informed and accurate, that is, it must not generate doubts. For the subject to make a decision on having their data processed one or more times, they must be provided, prior to having their data processed, with clear and straightforward information and, if possible, this should be done gradually. This body gives examples of situations in which specific consent to process data would be needed each time, as well as valid ways to provide this information or situations in which the consent being given is ambiguous because it would not fall under the category of a clear affirmative act; for instance, the act of scrolling to the bottom of a webpage.

In relation to the explicit consent needed to process special data, the A29WP states that these terms refer to the way in which subjects express and/or give their consent. One method to obtain a subject's explicit consent would be through a written statement, or, in a digital context, it could mean completing and sending a form by email.

Also, the guidelines set out by the A29WP emphasize some other additional measures, which the GDPR imposes on data controllers, aimed at guaranteeing and proving the validity of the consent, such as the explicit obligation that the data controller has in proving the validity of the consent given by the subjects o in facilitating the withdrawal of consent. As to the first measure, the A29WP does not provide a specific methodology, it only suggests, as an example, the possibility that the data controller keep a record of all given consents. In relation to the second measure, the A29WP highlights the need to offer subjects the possibility of withdrawing their consent making sure they can use the same method as when they gave their consent and as easily.

Lastly, this working party sets out a number of issues and specifications that must be taken into account in relation to the consent given by any subject under the age of 16, the consent given in relation to scientific research or the consent obtained within the framework of Directive 95/46/EC.

In light of these guidelines, issued by the A29WP, the principle of proactive responsibility by data controllers is established once again, since they will have to carry out a prior analysis to determine if consent has a legitimate basis that makes the processing of data lawful and, in that event, analyse if it complies with the GDPR.

Follow

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?