Guidelines on consent under Regulation 2016/679

The Guidelines on consent under Regulation 2016/679 provide a thorough analysis of the notion of consent.

Controllers must always consider which one is the appropriate lawful ground for the processing. Consent remains one of six lawful bases to process personal data, as listed in Article 6, GDPR. The data subject shall have a genuine choice with regard to accepting or declining the terms offered or declining them without detriment, thus exercising control over whether or not her personal data will be processed.

Consent is defined in Article 4.11, GDPR, further guidance as to how the controller must act to comply with the main elements of the consent requirement may be found in Article 7 and in recitals 32, 33, 42, and 43, GDPR.

The Guidelines provide useful practical example that aid controllers to ensure compliance with the GDPR and gain data subjects’ consent.

The document also explain that consent obtained under Directive 95/46/EC continues to be valid in so far as it is in line with the conditions laid down in the GDPR. Controllers are not automatically required to completely refresh all existing consent relations with data subjects in preparation for the GDPR.

Consent in Article 4.11, GDPR. The Guidelines explain the different elements of a valid consent given by the data subject, which shall be:

– freely given,

– specific,

– informed and

– unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Explicit consent. Under the GDPR, explicit consent is required in certain situations where serious data protection risk emerge (processing of special categories of data, data transfers to third countries or international organizations in the absence of adequate safeguards, in case of automated individual decision-making, including profiling). In this instances, the GDPR prescribes a “statement or clear affirmative action” to show consent. As the GDPR’s “regular” consent requirement is already raised to a high standard, the Guidelines clarify what extra efforts a controller should undertake in order to obtain the “explicit consent”.

Written statement is not the only way to obtain explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent.

Demonstrate consent. The GDPR clearly outlines the explicit obligation of the controller to demonstrate a data subject’s consent. The burden of proof will be on the controller (Article 7.1, GDPR.)

The Guidelines provide guidance on the additional requirement to demonstrate valid consent and on withdrawal of consent.

Additional protection. Finally the Guidelines explain the additional obligations concerning the specific areas of concern indicated in the GDPR, such as where children’s data are processed (Article 8, GDPR)

 

The Guidelines on consent under Regulation 2016/679, are available at http://ec.europa.eu…

 

See also Article 29 Data Protection Working Party, Opinion 15/2011 on the definition of consent