Within the vast range of changes implemented by the General Data Protection Regulation (GDPR), the scope of consent is mentioned as one of the most controversial. GDPR lists several basis for personal data processing, including consent of a data subject or legitimate business purpose of a data controller. Here we present a brief overview of the requirements regarding consent for data processing (excluding the consent of children which will be discussed separately).
Consent may, amongst other results, constitute the basis for the processing of ordinary and sensitive personal data, as well as for the processing of data concerning convictions. Nevertheless, it is important to remember that the processing of ordinary data is generally allowed if one of the conditions listed in the GDPR is fulfilled, while the processing of sensitive data is generally forbidden, unless there is explicit consent or one of the other conditions listed in the GDPR is fulfilled. Processing of personal data relating to criminal convictions and offences can be based on consent. However, such processing shall be carried out only under the control of the authority or when the processing is authorised by law, providing for appropriate safeguards for the rights and freedoms of the data subjects.
Generally, according to Article 4 sec. 11 of the GDPR, consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes signifying his or her agreement to the processing of personal data relating to him or her. Such wishes may be expressed by way of a statement or a clear affirmative action, such as, for example, written, electronic or oral statements, ticking a box when visiting a website, choosing technical settings for information society services, or other statements or conduct which clearly indicate the data subject’s acceptance of the proposed processing of his or her personal data. It should be emphasized that silence, pre-ticked boxes or the absence of action should not be understood as constituting consent.
Consent should be freely given, i.e. the data subject should not be placed under any pressure (including social, financial or psychological). It should be noted that it is not permissible to make the conclusion of an agreement or the provision of services conditional upon the granting of consent to the data processing if such processing is not necessary to perform the agreement or provide the services.
Consent needs to be specific. It must cover all processing activities carried out for the same purpose or purposes. In the case of multiple purposes, acceptance should be granted for all of the purposes. Any blanket consent, which does not clearly specify the scope of data or the purposes of the processing, will not be effective. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the services for which it is provided.
Consent should be informed. The data subject should obtain all necessary information required under the GDPR. The key factors which impact the decision whether or not to grant the consent include the identity of the data controller, the purpose of the data processing, the identity of the data recipients, any transfer of data outside the EEA, the retention period and the consequences of the refusal to grant consent.
Proving and Revoking Consent
The data controller has the obligation to demonstrate that consent was given. However, the data subject has the right to revoke his or her consent at any time. Prior to giving consent, the data subject must be informed of this right and any revocation must be as effortless as the action of granting consent.
Any existing consent may continue to be effective, provided that the new, specified conditions are fulfilled.
If the consent is to be granted in a written declaration which also covers other matters, the request for consent needs to be presented in a manner that is clearly distinguishable from the other matters in an intelligible and easily accessible form, and using clear and plain language.
Member states may introduce more specific regulations on the use of consent regarding employment and such regulations are currently in the works.
Because it is crucial to understand the terms and conditions of obtaining consent and the consequences of data processing on the basis of the GDPR, European bodies for the protection of personal data are jointly developing a set of guidelines on specific solutions and instruments under the GDPR within the scope of the Article 29 Working Party. Comments are being welcomed and anyone wishing to express an opinion on consent may send comments in Polish to the Polish Data Protection Authority Office, or email firstname.lastname@example.org, by May 12, 2017.
If you have any questions or concerns, we are at your disposal.
Senior Associate, Warsaw
T +48 22 395 5500