Consent has long been an important term in the world of data governance and is an important tenet of data protection law. Obtaining consent from an individual to process their data is one ways of establishing a legal basis for data processing. With the GDPR approaching, companies will have to ensure that the consent received from subjects is in line with the GDPR standards. To this end, the GDPR provides a much-needed, updated definition of consent, defining it as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Evidently, to comply with the GDPR regulations, consent needs to be:
Freely given
Consent needs to be obtained freely without coercion. Providing consent should be a genuine choice of the data subject; they should not have been intimidated or misled into providing it. Consent will not be considered freely given if:
- the data subject has no genuine choice in providing consent or can not easily and without detriment withdraw consent.
- There is a clear imbalance between controller and data subject (e.g. employer and employee).
- The performance of a contract is made conditional on the subject’s consent to data processing activities which are not required for the performance of the contract.
Specific
Consent must be obtained for specific processing operations. It needs to be given (separately) for all specific processing operations covering all purposes. Blanket consent for unspecified data processing operations is not valid consent.
Informed
The request for consent should be easily distinguishable from other matters and presented in clear and plain language. A consent request can therefore not be wrapped up in a wider set of terms and conditions. Furthermore, for consent to be informed, the data subject should at least be informed about the extend to which they are consenting, the identity of the controller and the nature of the processing prior to giving consent. This should be explained in and intelligible and easily accessible form. Finally, the subject should be explicitly informed about their right to withdraw consent at any time and about their right to be forgotten.
Unambiguous
The way in which consent is obtained, should leave no room for doubt about the subject’s wishes and intentions when consenting. When consent is obtained for data that will be processed for multiple purposes, it must be established without a doubt that the subject agrees to all purposes. The controller must also be able to demonstrate that the data subject has provided consent, meaning that records need to be kept for verification.
Signified by a statement or clear affirmative action
Affirmative action is required for consent to be considered freely given, specific, informed and unambiguous. Consent can be obtained by any appropriate method such as verbally, in writing or by ticking a box. Note that silence, pre-ticked boxes or inactivity do not constitute consent. Important is also to consider that the method of withdrawing consent should be as easy as giving consent.