Dear clients and partners,
Again with GDPR in mind, we will examine consent as one of the six legitimate grounds for data processing.
By paying a lot of attention to the Regulation, partially due to the high fines it introduces, the media has provided a wide coverage of GDPR issues and key terms, including ‘consent’.
What do we know about consent so far? It is well-known that in order to be valid, consent should be:
- freely given – the data subject should have a genuine and free choice and be able to refuse or withdraw consent without detriment;
- specific – consent should refer to clear purpose and specified term for processing as well as to defined persons who will have access to the data;
- informed – the data subject should be informed at least of the identity of the controller and the purposes of the processing;
- unambiguous – it is necessary that consent is provided through a clear affirmative action – a statement or an act clearly showing that the data subject agrees to the processing.
Having briefly outlined these main features of consent validity, this publication will focus on further key aspects of the use of consent as а legal ground for processing, which are not as familiar, but which require some particular attention.
The meaning of consent as a ground for processing should not be taken too far, nor should its use be considered a panacea. There are a few reasons for that.
First, consent is only one of the six grounds for processing and its application is limited in case any of the other five legal grounds applies. For instance, consent should not apply when processing is required for the purposes of a contract. In such cases, using consent as grounds for processing is neither required, nor desirable. Remember – consent may be withdrawn! What would happen to contractual relations then…
Second, according to the understanding of the Working Party under Art. 29 (WP29), a processing activity for a specific purpose cannot be based on multiple lawful grounds. In this sense, when we process data on the grounds of consent, we cannot combine or “strengthen” consent with another legal basis, just in case the data subject withdraws their consent. Besides, if we have already started processing data on the grounds of consent, we cannot change those grounds later on. The reason is again the fact that consent may be withdrawn – a hypothesis that is non-existent with regards to the rest of the legal bases for processing.
Third, consent as a ground for processing depends on the context in which it is given. GDPR pays a special attention to the imbalance in the relations between the personal data controller and the data subject. Labour relations are just one of the many examples of such an imbalance. There is hardly a company not facing the issue of ensuring compliance of labour relations with the Regulation’s requirements. How much can we rely on consent in this context?
According to WP29, consent cannot be used as a legitimate ground here. The reason is in the imbalance between the parties and the impossibility for the employee, who constitutes a data subject, to make a free choice under fear or discomfort of potential adverse effects, which contradicts one of the main requirements for the validity of consent – the free choice.
The same example can be given with respect to the relations in which the controller is a public authority. In this case again it cannot be assumed that the data subject makes a realistic choice on whether to give their consent or not, insofar as the other party is in fact the stronger one. Such relations are marked by an obvious inequality in the context of which consent would not be valid.
Any type of influence or pressure on data subjects is considered to be an obstacle to making a free choice that deprives consent of validity and processing – of lawfulness. The controller should be able to prove at any time that consent is obtained without any threat of potential adverse effects in case of refusal.
Fourth, consent should be given separately for each and every purpose of processing. Even if the purpose recurs in certain periods of time, it is recommendable to renew the consent and inform the data subject of the processing again. It should not be assumed that once consent for processing for a particular purpose is given, it will be sufficient for subsequent data processing for other purposes.
Finally, if you imagine that obtaining consent involves some sophisticated terminology and complex language, you can relax. The information provided for the purpose of obtaining data subject consent should be simple and easy to understand by the average citizen. In this sense, exquisite legal style is in no way useful according to the GDPR.
In conclusion, we will highlight a key aspect of consent that will prove to be particularly beneficial to the online business environment – there is no legislative requirement for consent to be obtained in writing. Various techniques, particularly those related to IT solutions, would allow for consent to be accepted as explicit and therefore valid. The European legislator has provided data controllers with the opportunity to obtain consent through various manners and means, including by ticking a checkbox upon visiting a website, adjusting online service settings, etc.