November 8, 2023
One of the basic principles of personal data processing under the EU’s General Data Protection Regulations (“GDPR”) is the lawfulness principle. This means that the processing of personal data must have a lawful basis. The most common basis that is generally relied upon for personal data processing is the “consent” of the data subject. However, it is not entirely straightforward how the consent is regulated and what conditions must the consent fulfill to be considered valid under the GDPR. This article aims to provide a general view of how consent is governed under GDPR and answer some frequently asked questions.
Consent is defined in GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.[1] To break it down, in order for the consent to be considered valid under GPDR, it must be:
All of these elements are very general and could lead to misunderstandings in applications. As such, the article will dive into explaining the individual elements of a valid consent below.
Under normal circumstances, something being “freely given” or “voluntary” is generally understood as being done of one’s own free will without any threats. However, the GDPR’s interpretation of “freely given” is much more strict. Consent would not be considered “freely given” if there is any form of coercion involved. If a penalty or a negative effect is imposed on the data subject for not consenting/withdrawing the consent to the personal data processing then the consent (if achieved) would be considered not valid. The imbalance of power between the data subject and the data controller (state authorities vs citizens, employer vs employee, etc.) would also be taken into account to assess whether the consent was freely given.
Example 1: Company A offers a news subscription service to its customers. Company A collects positioning data and the marital status of its users. Such data is not necessary for the provision of the service, however, Company A requires that the user provide consent to the processing of such data or else it will not provide the service. In this case, there is clear coercion by Company A and the data subject will suffer a negative effect (not being able to use the service) if he/she does not consent to the personal data processing. In this case, Company A can not obtain any valid consent under GDPR. |
Other aspects of the “freely given” element include conditionality and the ability to select specific processing purposes. If the consent of the data subject is made conditional to the provision of service that is not related to the processing of personal data then such consent would not be considered freely given, the same would apply if there are multiple processing purposes and the data subject can not consent to each of them individually.
Example 2.1: Company A offers an online reading service to its customers in which the customers will be able to search and read books on Company A’s website. Company A also offers a book recommendation service in which Company A will collect the personal data of the customers (their reading habits, favorite books, etc.) in order to recommend new books to the customers. In this case, if Company A asks for the consent of the customer to process his/her personal data to conduct the book recommendation service and the customer refuses, the Company cannot refuse to provide the customer with the online reading service as well since this service does not require the personal data being asked of the customer. If Company A states that it will not provide any service if the customer does not consent to the data processing, any consent it obtains from the customers will be considered invalid since the consent was not freely given. Example 2.2: Company A provides mailing services. In the consent form for the customers, Company A lists out a number of different purposes such as: to provide services; to conduct marketing; etc., and requires the customer to consent to all of them. In this case, consent is not considered freely given since the data subject was not given the choice to consent to individual purposes, rather, he/she can only choose between consenting to all of them or none of them. |
Specific consent refers to consent that was given to the processing of personal data for specific purposes. As mentioned above, all purposes must be listed and the data subject must have the ability to individually consent to specific purposes. Also, to satisfy the “specific” element of the consent, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.[2] Such requirements are to ensure that the consent of the data subject is as accurate and as narrowed down as possible and to prevent the controller from blurring, widening the scope of the consent beyond what the data subject intended. This is also in support of the purpose limitation principle of GDPR.[3]
Example 3: Company A collects data about the internet history of customers to provide a personalized news service. Company A asks for the consent of the data subject for this specific purpose. After a while, Company A also wishes to use the personal data collected to advertise certain products to the customers while they are using the service of Company A. The purpose of “advertising products” is not a part of the “providing personalized news service” purpose which the customers initially consented to. As such, if Company A wishes to use the personal data for such purpose, a new consent request must be made for such specific purpose. |
For consent to be considered valid under GDPR, it is essential that the data subject is informed of certain information regarding the data processing. In Guideline 05/2020 of the European Data Protection Board (“EDPB”), it is stated that at least the following information is required to obtain valid consent:
Regarding the controller’s identity, multiple controllers can rely on one original consent, however, the data controller should inform the data subject of all controllers who will receive the data when obtaining the consent.
Example 4: Company A wishes to share the personal data of its employees with Company B for Company B’s purposes. If Company B wishes to rely on the original consent obtained by Company A then the consent must have listed Company B as a recipient of the personal data and presented Company B’s data processing purposes for the data subject to consent to. |
Consent must be given in the form of a statement or a clear affirmative action of the data subject and it must be apparent that the consent of the data subject was given. The forms of consent are very diverse, such as a written record, an oral statement, the ticking of a box, or other physical and electronic means. As such, ambiguous forms of consent such as silence, non-response, pre-ticked boxes, or continued usage of service cannot be regarded as valid under GDPR.
Example 5.1: Website A says on its Privacy Notice at the top of the page that “by proceeding to use the services of Website A, you are agreeing to the processing of personal data by Website A”. In this case, even if the user continues to browse Website A after seeing this Notice, it may not be considered that the data subject has given valid consent. Furthermore, in this case, it would be difficult to provide a method for the data subject to withdraw consent since under GDPR, data subjects must be able to withdraw consent as easily as it was given. Example 5.2: In October 2019, a decision was made by the Court of Justice of the European Union (CJEU) – the highest legal body of the EU regarding the case “Planet 49”. Planet 49 was an online gaming company based in Germany. The company organized a lottery program in 2013 in which participants must enter their personal information to participate in the program. The input fields were accompanied by checkboxes with one of them pre-checked. The German Federation on Consumer Organizations objected to this practice. The case eventually went to the CJEU and on 1 October 2019, the CJEU ruled that the only valid form of consent is consent that is actively and specifically given by the data subject. Consent is also only valid if the data subject has been fully informed about the nature of the cookies such as the duration of the cookies and whether the cookies are first or third-party cookies.[4] |
As mentioned above, consent is only one of six different lawful bases for the processing of personal data. The remaining lawful bases that allow for personal data to be processed in the absence of consent include:[5]
Aside from “normal consent”, a more rigorous form of consent referred to as “explicit consent” is used under GDPR in cases where there is the processing of special categories of personal data,[6] transfer of personal data overseas without an adequacy decision or adequate safeguards,[7] or where there is automated individual decision-making, including profiling.[8]
Explicit consent must be in the form of an express statement of consent. The goal here is to remove all possible doubts regarding the consent of the data subject and to safeguard the proof of consent. Explicit consent could be expressed in the form of a signed written statement, an online form, an email, or an electronic signature, etc.
Example 6: Hospital A collects the health data of a patient (which is a special category of personal data pursuant to Art 9.1 of the GDPR). Before collecting such data, Hospital A asks that the patient sign a consent form to show that the patient has indeed consented to the processing of his/her health data. This consent form shall then be kept and could be used for compliance demonstration by Hospital A. |
GDPR states that the controller must ensure that the data subject can withdraw consent to the processing of his/her personal data as easily as when he/she gave the consent. If the right to withdraw consent is not informed to the data subject or if the withdrawal takes more effort than the giving of consent then the consent would not be considered valid since the right to withdraw consent is a component of the “informed” element that makes up a valid consent. There must also be no penalty imposed on the data subject for the withdrawal.
In case consent is withdrawn, all data processing activities based on the consent that took place prior to the withdrawal are still lawful. If there is no other lawful basis for the processing then the personal data shall be deleted. If there are multiple legal bases for the data processing aside from consent then the data could still be processed even if the consent has been withdrawn. However, the data subject must be informed of all of these legal bases regarding the processing of his/her personal data.[9] As such, the controller can not silently change the legal basis for processing when the data subject withdraws consent, even if the new legal basis is valid. Any such change must be notified to the data subject.
Example 7: Company A signs a contract with the client in which the personal data of the client is necessary to perform the contract. Company A also has the client sign a consent form allowing Company A to process the personal data of the client. In this case, the lawful bases for the personal data processing include: consent and performance of contractual obligations. These legal bases were informed to the client upon collection of the personal data. After a while, the client decides to withdraw his/her consent. Company A must facilitate so that the client can withdraw his/her consent via a form or another format that is as easy to perform as the signing of the original consent form. However, since the lawful basis of contract performance still exists, Company A can still process the personal data of the client for the performance of the contract. However, if Company A did not inform the client of the lawful basis of contract performance when collecting the personal data then Company A must do so to continue processing the personal data of the client. |
The data controller has the obligation to demonstrate a data subject’s consent. In other words, in a dispute regarding consent to data processing, the burden of proof is on the data controller and not the data subject. The data controller must be able to prove that the consent was given by the data subject and that it was valid under GDPR. This can be done via a physical or electronic record.
Example 8: Company A processes the personal data of its clients and asks for consent of the client via physical paper form. These forms should then be stored in a secure location with appropriate security measures in order to be used as evidence should there be any dispute regarding the consent. In case of such disputes, Company A shall have the obligation to prove that the consent was given by its clients and that the consent complied with the provisions of GDPR. |
In all, the matter of consent under GDPR lies at the heart of how personal data is collected. Given how the consent form is mass-copied and applied to all data subjects of a data controller, all data controllers should pay great attention to the design and management of the consent to avoid violations on a great scale with far-reaching consequences.
PrivacyCompliance provides solutions related to ensuring compliance with personal data regulations, assessing the impacts of personal data processing, drafting impact assessment dossiers, and cross-border data transfer dossiers.
PrivacyCompliance
#GDPR #Consent #Datacontroller #Datasubject #Withdraw #Informed #Specific #Freelygiven #Unambiguous #Explicitconsent
[1] GDPR Art 4.11
[2] GDPR Art 7.2
[3] GDPR Art 5.1(b)
[4] Cookiebot, ‘Active consent and the case of Planet 49’ (Cookiebot) <https://www.cookiebot.com/en/planet49/> accessed 9 September 2023.
[5] GDPR Art 6.1
[6] GDPR Art 9.2(a)
[7] GDPR Art 49.1(a)
[8] GDPR Art 22.2(c)
[9] GDPR Art 13.1(c) and Art 14.1(c)
Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]
Learn more
Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]
Learn more
E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]
Learn more