Key References:

Consent

  • Pursuant to Art. 6(1)(a), consent is one of the six available lawful bases for processing personal data.
  • The GDPR provides specific criteria that must be met for consent to be valid.
  • Art. 4(11) defines consent.
  • Art. 7 provides conditions that are necessary for consent to be valid.
  • Recitals 32, 42, 43 further expands on Art. 7 conditions for valid consent.

Art. 6: Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Art. 4(11) on definition of consent:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Art. 7 – Key elements:

  • Controllers are required to demonstrate data subject’s consent.
  • To obtain consent, the information on processing must be presented to the data subject in an “an intelligible and easily accessible form, using clear and plain language
  • Data subject has the right to revoke or withdraw consent at any time.
  • The ability to withdraw consent should be as easy as the ability to give consent.
    • WP29 states that while the GDPR does not require giving and withdrawing consent through the same action, when consent is obtained through only one mouse-click, swipe, or keystroke, then data subjects must also be able to withdraw consent equally as easily.
    • Furthermore, data subjects should not have to suffer any detriment in revoking consent, therefore controller should attempt to make consent free of charge or without lowering service levels. (WP29 Guidelines on consent, section 5.2)

Key Elements of Recitals 32, 42, 43

  • Recital 32.1 states that, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
  • Freely given
    • Recital 42.5 states that, “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
    • Recital 43.1 states that for consent may not be the appropriate lawful basis “where there is a clear imbalance between the data subject and the controller“. Generally, in such situations the data subject may not be able to refuse consent. e.g. of power balance, public authorities, or employer-employee relationships.
  • Specific
    • Consent is required for each specific purpose of processing. No blanket consent for multiple purposes.
    • Recital 32.5 states that, “When the processing has multiple purposes, consent should be given for all of them“.
  • Informed
    • Recital 42.4 states that, “For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”
    • Informed consent is generally achieved by providing data subjects with a privacy notice that meets the requirements of Arts. 13, 14. Informed consent is a corollary of the Transparency principle under Art. 5(1)(a).
  • Unambiguous 
    • Recital 32.3 states that, “Silence, pre-ticked boxes or inactivity should not therefore constitute consent“.
    • Data subject must take a clear affirmative act such as a marking or ticking or checking a box. This means a positive opt-in is generally a requirement under the GDPR, unless exceptions apply.

Recording and Managing Consent:

  • Controllers must be able to demonstrate a data subject’s consent under Art. 7(1) and Recital 42.
  • WP29 Guidelines on consent under Regulation 2016/679 state that there is no specific time limit for expiration of consent. It depends on the context, the scope of the original consent and the expectations of the data subject. WP29 recommends that consent should be refreshed at appropriate intervals so that data subjects remain well informed about the processing of their data.
  • UK ICO provides practical tips and checklist for controllers to record and manage consent.