Obtaining Consent from Data Subjects in order to process their data has long been an area of ambiguity, open to broad interpretation across EU Member States. The GDPR certainly tightens the rules and clearly defines Consent. However, there are still areas where further guidance is being sought and areas which may still be open to interpretation. Here is our 10 point quick guide:
1. Definition of Consent
The GDPR defines Consent and states that it must be “freely given, specific, informed and unambiguous” and it must be given by a “clear affirmative action by the data subject”. Furthermore the regulation stipulates that different types of data require different consent. It is not permitted to present individuals with an all or nothing approach. It’s also specified that Consent is not be valid where there is “a clear imbalance between the data subject and the controller”.
2. Inactivity Inadequate
When Controllers are gaining Consent, GDPR presumes “silence, pre-ticked boxes or inactivity” to be inadequate. The UK Regulator already takes a dim view of pre-ticked boxes. In the ICO’s Direct Marketing Guidance (March 2016) it states: a pre-ticked box will not automatically demonstrate consent, as it will be hard to show that the presence of the tick represents a positive, informed choice by the user. This will be further tightened under the GDPR, and organisations won’t be able to rely on inactivity to gain consent, i.e. an individual simply not responding to a communication.
3. Transparency and Consent
It is clearly set out in the Regulation that Consent must be specific for each data processing operation. Controllers are required when gaining Consent to make clear what different processing operations they will be undertaking. This must be provided “in clear intelligible and easily accessible form, using clear and plain language”. Controllers are only exempted from obtaining Consent for subsequent processing operations if it can be demonstrated these are “compatible”. This compatibility is based on factors such as; the link between processing purposes, the reasonable expectations of the Data Subject and the existence of appropriate data safeguards.
4. Withdrawing Consent
The GDPR gives Data Subjects the right to withdraw Consent at any time, and it must be as easy to withdraw Consent as it is to give it. Data subjects must be made aware of their right to withdraw Consent prior to giving it. This means organisations must ensure, upfront in their Privacy Notices, they clearly and transparently inform Data Subjects of their right to withdraw Consent.
5. No Conditions for Consent
Controllers cannot make a service conditional upon Consent, unless the processing involved is necessary for that specific service. It is not compliant with the Regulation to tie a Data Subject into giving Consent to any additional processing (e.g. the receipt of marketing communications) other than that which is necessary for the performance of a contract/service.
6. Proof of Consent
Data Controllers must be able to clearly demonstrate a Data Subject’s Consent was obtained lawfully. Controllers will need to ensure they maintain records of how personal data was collected. A clear audit and record of what statements individuals agreed to will be required. Failure to keep adequate proof of Consent will in itself be a breach of the Regulation.
7. Children’s Consent
Parental Consent must be obtained for the processing of children’s data. Children are classed as anyone under the age of sixteen. However, individual EU Member States will be able to lower this, but to no younger than thirteen. Under the current UK Data Protection Act (1988) there is no specification of the age at which children are legally able to give consent for the processing of their personal data. Under current ICO guidelines it is recommended that parental consent should be sought when collecting data from children up to the age of 12, but the guidance does say there may be instances where parental consent is required for older children. This will change under the GDPR, even if the UK adopts the lowest permitted age of thirteen. Social media platforms and other website operators will need to consider how they obtain consent from parents and ensure their Privacy Notices are written in such a way that that they can be clearly understood by a child.
8. Profiling and Consent
The GDPR puts a number of restrictions on profiling – the automated processing of personal data to make decisions about individuals. Furthermore it gives Data Subjects significant rights to object, stop and avoid profiling based decisions. This includes the automated processing of data and using that data to assess personal aspects such as health, personal preferences and location. For general profiling, at the point of collection of data, organisations will need to inform Data Subjects that profiling will occur and that they may object. In addition they will need to explain the “logic involved” and the “envisaged consequences of such processing”. Profiling with “legal” or “significant effect” will need explicit consent unless it is necessary for the performance of a contract. Explaining this in a clear and transparent way is a challenge Controllers will need to overcome to comply with the new Regulation.
9. Special Categories of Data
The GDPR requires specific types of more sensitive data are subject to tighter conditions of Consent – explicit Consent will be required for Special Categories of Data. Two new categories of data; genetic and biometric have been added to the list of what was previously known as Sensitive Data. This includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life and sexual orientation. Data regarding criminal records will also be subject to stricter rules made at a State level.
10. Legitimate Interest
It is still possible for Controllers to process data without relying on Consent on the grounds of legitimate interest. The Data Subject must be made aware of the legitimate interests being pursued by the Controller or a by a third party, when his or her data is collected. The Regulation does specifically recognise that processing of data for Direct Marketing purposes can be considered as a legitimate interest. However, Controllers are required to balance their legitimate interests with the data protection rights of Data Subjects, especially if the data subject is a child. Direct Marketing is not defined in the Regulation, so Controllers will need to assess in detail the precise nature of their proposed marketing activity in order for it to be covered by legitimate interest grounds. See the DPN’s Guidance on using Legitimate Interests under the GDPR.
June 2016
Copyright DPN
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.