DO YOU HAVE GOOSBUMBS FROM GDPR? HOW TO ACQUIRE CONSENT TO PROCESSING OF PERSONAL DATA

What consent actually is?

Consent is one of the numerous legal basis for processing of personal data. Along consent, GDPR also distinguishes the processing necessary for the performance of a contract, legal obligation, vital interest, task carried out in the public interest and legitimate interest of the organization.

GDPR does not substantially change the basic parameters of consent. However, it widens the requirements for its acquisition. According to the current legislation, consent to processing of personal data was some kind of “priority” legal basis and subsequently, the exceptions were specified when the data could be processed without consent. GDPR demolishes this conception and puts consent on the same level as the other legal basis. It is also recommended, while determining the legal basis, to find some of the other legal basis, such as the performance of a contract or a legal obligation and only in the cases when such legal basis is impossible to determine, request consent to processing of personal data.

If for the processing of personal data, it is impossible to determine another legal basis, take into account that the processing of personal data based on consent is one of the most complicated ways due to the requirements imposed by GDPR. Why?

Consent must be freely given

It is clear from the word “free” itself that the person who provides consent to processing of personal data must have a real free choice and control. As a general rule GDPR provides that if the person concerned does not really have a free choice and feels to be forced to consent or can have problems arising from not consenting, consent is not valid.

Such situations may happen for instance during requesting consent to processing of personal data by an employer from an employee. It is unlikely that an employee would freely and without the felling of pressure reacted to an employer’s request for consent to, for instance, the activation of a camera monitoring system at the workplace.

Consent must be given for a specific purpose

From acquired consent, it must be clear for which purpose the personal data are provided and in what scope they will be processed. If there are more purposes of the processing of personal data, consent must be given to all of them.

Let´s use a practical example. An operator acquires consent to the sending of the usual commercial offers to a customer and for this purpose acquires their email address. It can only be used for this purpose. If the operator wants to send a personalized email offering products, which they suppose that the customer may be more interested in, they necessarily need specific consent of the customer.

Consent must be informed

To meet this requirement, it is necessary to provide the person concerned with at least information about:

• the identity of the organization processing data,
• the purpose of each processing activity, for which consent is requested,
• the type of data that will be processed,
• the existence of the right to withdraw consent at any time,
• the use of personal data for solely automated decision-making including profiling,
• the possible risk of personal data transfer to third countries.

Provision of such information before the acquisition of consent is important so that the person concerned can decide, understand to what they consent and use the right for withdrawal of consent in the future.

However, the essential fact is that GDPR emphasizes the method of compliance with the information obligation. It is necessary to formulate the information clearly and in a plain language understandable to anyone, not only to lawyers. Thus, it is not possible to comply with this obligation by using long and incomprehensible sentences full of legal terminology or to “hide” the information somewhere in the general terms and conditions.

Consent must be explicit

In relation to the provision of consent, there cannot be any doubts about the fact that the person concerned consents to the processing of personal data. It is not possible to acquire consent by the same act, by which a contract is concluded, or the terms and conditions of the operator are accepted.

In general, signing of consent in writing, ticking a box in a paper or electronic form (so-called opt-in), expressing consent by sending an email and similar act will be considered to be valid consent. On the contrary, valid consent cannot be given by silence, by including consent in a contract or by an already ticked box (so-called opt-out).

GDPR does not prescribe any specific form

GDPR does not provide any specific form for consent to the processing of personal data. However, acquired consent must be proved by the operator. Therefore, the acquisition of consent orally without issuing any confirmation, for instance in the form of an audio record, will not be sufficient. Mainly written form is considered, while it does not have to be only in a paper form but also in an electronic form. Consent given electronically via logs or attributes in electronic databases are also provable.

In case of a dispute, the burden of proof of valid consent is on the operator.