Toolkit for the EU GDPR: 2) Consent

This note is an overview of the requirement of obtaining consent from the data subject when processing their personal information under the GDPR. Companies who will be processing personal data (within the scope of the GDPR) should consider what personal information they hold and on what lawful grounds.

 

 

• Consent

• How should you obtain consent?

• Accountability and documentation

 

Consent

Consent means offering people genuine choice and control over how you use their data.  The GDPR sets out circumstances where you are able to process personal data without consent. These are where:

 

• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
• Processing is necessary for compliance with a legal obligation
• Processing is necessary to protect the vital interests of a data subject or another person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

 

If you are not processing personal data for one of the above purposes you will need the individual's consent. Please note, if you can process data for one of the above reasons, asking for consent may be considered to be misleading and therefore unfair. Further, as obtaining consent may be difficult, if you can process data under one of the lawful reasons above than you should do so. If you rely on consent, this will also affect individuals' rights. People will generally have stronger rights when processing their data is based on consent (for example, the right to be forgotten and the right to data portability).

 

If the individual is under the age of 16 you will require parental consent to process their personal data. This age requirement may be reduced to 13 in the UK.   

 

Please note there are different criteria for the processing of special information including the need to have explicit consent.

 

Even if you are not asking for consent, you will still need to provide the individual with clear information setting out why their data is processed, how their data is processed and by whom.

 

How should you obtain consent?

If it is appropriate to ask for consent (please see above), the GDPR sets a higher standard for consent and requires consent to come from a form of positive opt-in. Therefore use of pre –ticked boxes or consent by default (i.e. consent within standard terms and conditions) will no longer be considered valid. You are also required to clearly notify the individual that they are able to withdraw their consent (and how to do it) and the individual should not be penalised if consent is not provided or withdrawn.

 

Consent should:

 

• Be positive (the individual must complete some positive action (clear affirmative act) to authorise consent)
• Be clear what the individual is consenting to (vague or blanket consent will not be enough and any request for consent should be in clear and plain language)
• Be freely given (if there is unequal powers of the parties i.e. employer and employee relationship there is a risk that any consent may not be freely given and therefore you should seek to rely on another lawful reason to process personal data)
• Be separate from other terms and conditions
• Include any third parties who will also rely on the consent
• Should not be a pre-condition to entering into a service (unless it is required to complete that service - please see above which sets out where you can lawfully process personal data without consent)
• Should be given with clear understanding that consent can be withdrawn without any penalties to the individual
• Should be given after the individual has been made aware of the information required to be provided under the GDPR

 

You will not have to re-obtain an individuals' consent when the GDPR is implemented in May 2018 provided that the consent you hold (if you need consent to process the personal data) is in line with the GDPR requirements which have been briefly summarised above. If the consent you have is not GDPR compliant i.e. you obtained consent through a pre-ticked box, you will be required to re-obtain the individual's consent. This should be obtained before 28 May 2017 or you should stop processing the personal data.

 

Accountability and documentation

The GDPR creates an accountability obligation where you must be able to demonstrate your compliance with the GDPR through evidence.  This requires more than having policies in place. You should consider providing regular training for your employees on the data protection matters, testing that your policies are effective (and using any test results to demonstrate continuous improvement), ensuring the technology you use is sufficient to ensure compliance and maintain documentation which evidences your compliance with the GDPR.

You must be able to show that the individual has consented to the use of their personal data. Therefore you should hold records of how the individual has consented and specifically what they have consented for. You should retain a copy of their actual consent (if possible). Further you should have a clear policy dealing with withdrawal of consent of any individual (which must not be onerous in nature).