This post is also available in: esEspañol

On November 28, 2017, the Article 29 Data Protection Working Party published guidelines (“the Guidelines”) that provide a thorough analysis of the notion of consent in European Union (EU) Regulation 2016/679 of the European Parliament and of the Council, on the protection of individuals with regard to the processing of personal data and on the free movement of this data. The regulation repeals Directive 95/46/CCE on General Data Protection Regulation (“GDPR”) and will be fully effective from May 25, 2018.

According to the GDPR, consent is one of the six legal bases to be able to legally process personal data. Article 4(11) GDPR defines consent as follows: “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The Guidelines identify a series of key elements when assessing if the consent of any data subject is valid under the GDPR:

  • Unambiguous: consent requires an unambiguous statement by the individual, or a clear affirmative act by him or her. In this regard, consent based on silence, inactivity and the use of pre-ticked opt-in boxes is invalid. Neither can consent be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service.
  • Freely given: consent will be invalid when there is an imbalance of power—e.g., between employer and employee—or if it is bundled up as a non-negotiable part of a contract. Separate consent must be given to each different personal data processing operation.
  • Specific: consent of the data subject must be given in relation to “one or more specific” purposes.
  • Withdrawal of consent: the data subject has the right to withdraw his or her consent at any given time, without detriment.
  • Informed: it is understood that the data subject has given his or her consent after being fully informed with at least the following information: (i) the controller’s identity; (ii) the purpose of each of the processing operations for which consent is sought; (iii) what (type of) data will be collected and used; (iii) the existence of the right to withdraw consent; (iv) information about the use of the data for decisions based solely on automated processing, including profiling; and (vi) if there will be an international data transfer.
  • Clear and distinguishable: when seeking consent, clear and plain language must be used in all cases, bearing in mind the targeted audience. When consent is requested as part of a contract, the request for consent should be clearly distinguishable; it may not be hidden in general terms and conditions.

When organizations are required to obtain explicit consent—e.g., on the processing of special categories of data and on personal data transfers to third countries—the data subject must give an express statement of consent. In the electronic context, the party concerned can provide an express statement of consent by sending an email, filling in an electronic form, uploading a scanned document or by using an electronic signature.

This post is also available in: esEspañol

Autores:

Asociada

35 artículos



ane.alonso@cuatrecasas.com

Consejero

30 artículos

Alejandro Negro

alejandro.negro@cuatrecasas.com