Consent under the GDPR: things to keep in mind
Consent is one of the more well-known lawful bases of processing. At first glance, the concept of consent might seem quite self-explanatory: simply ask if the data subject is willing to agree with the processing of its personal data. However, in practice, obtaining valid consent under the General Data Protection Regulation (GDPR) might prove to be quite challenging. That is why in this blog, we shall take a closer look at some of the requirements pertaining to the use of consent as a lawful basis of processing.
Definition
Article 4 paragraph 11 of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The definition of consent can be divided into four prerequisites:
I. Freely given
II. Specific
III. Informed
IV. Unambiguous indication of wishes
Each of these prerequisites shall be further explained below.
I. Freely given
Consent is freely given, if the data subject has a genuine choice and/or control over the refusal/withdrawal of its consent. This is not always a given: certain circumstances could influence the ability of the data subject to freely give his or her consent. Consideration should therefore be given to the following preconditions:
Imbalance of power: An imbalance of power exists whenever it is unlikely that the data subject is able to refuse his or her consent without the fear of repercussions. Imbalances of power are likely to occur if the controller is either a public authority or an employer, due to the fact that their relationship with the data subject is characterised by a high degree of dependency. Under those circumstances it is unlikely that the controller will be able to rely on the consent of the data subject as a lawful basis of processing.Conditionality: Consent is presumed to be not freely given, if consent is “bundled up” with a number of terms and conditions that are not necessary for the performance of the contract. In order to avoid this point of concern, the controller could offer an equivalent of the service that does not involve permitting the use of data for additional purposes.Granularity: If data is being processed for more than one purpose, the data subject should be able to choose which purpose they are willing to accept. In other words, rather than having to consent to multiple purposes at once, the data subject should be able to give separate consent for each specific purpose.Detriment: The data subject should be able to refuse or withdraw its consent without any repercussions. Moreover, the controller should be able to demonstrate that it is possible to refuse or withdraw consent without detriment.
II. Specific
Consent must be given in relation to one or more specific purpose. The aim of this prerequisite is to ensure that the data subject is in control: it shall be his/her consent that determines the purpose of the processing. If the controller wishes to use the data for a different purpose, it should either ask for additional consent or find another lawful basis that might better suit the situation.
III. Informed
For consent to be informed, the data subject should have access to certain pieces of information that would enable him or her to make an informed decision. To that end, the Article 29 Data Protection Working Party (WP29) is of the opinion that the controller should at least provide the following information to the data subject:[1]
- the controller’s identity;
- the purposes of the processing activities for which consent is requested;
- the types of data that will be processed;
- the existence of the right to withdraw consent;
- whether or not data is used for automated (individual) decision-making, including profiling; and
- the possible risks of data transfer operations, mainly due to the absence of an adequacy decision and/or proper safeguards that might ensure an appropriate level of security.
IV. Unambiguous indication of wishes
Consent requires a statement from the data subject or a clear affirmative act, which means it should be given through an active motion or declaration. In addition, the act of giving consent should be distinguishable from other actions. Merely continuing the use of a product and/or service is insufficient to extrapolate the consent of the data subject.
Things to keep in mind
There is more to consent than might initially meet the eye. If consent is used as (the sole) lawful basis of processing, we recommend evaluating the used consent forms, in order to ascertain whether or not they are compliant with the aforementioned criteria.
If you have any questions about obtaining valid consent under the GDPR, please do not hesitate to contact us.
[1] WP29, Guidelines on consent under Regulation 2016/679 (WP259), 28th of November 2017, par. 3.3.1.