The consent requirements of the GDPR are relatively easy to understand, but perhaps more difficult to implement. You may encounter technical hurdles or issues balancing your business needs with GDPR compliance requirements. Completing your data protection impact assessment can help. Here`s how you can talk to a GDPR lawyer. GDPR compliance is an ongoing process. Read our GDPR checklist to make sure your business is overboard. Can you use options other than consent? It is quite possible. In fact, for ANY data processing activity, you should ask yourself what the best legal basis is. Is it consent? Is it another? De facto, however, there will always be personal data processing activities for which consent is the only/best option. You should constantly review your consents and consider updating them at reasonable and user-friendly intervals.
For more information, see How to manage consent? for more information. The ICO believes that it may still be possible to encourage consent to some extent. Consent to treatment usually has some advantage. For example, if joining the retailer`s loyalty program comes with access to discount coupons, there is clearly an incentive to consent to marketing. The fact that this service is not available to those who do not register does not represent a disadvantage for the refusal. However, you must be careful not to cross the line and unfairly punish those who refuse consent. The use of data must not go beyond what is set out in this consent. This does not answer our question about what information must be provided when informed consent is obtained (and the above list is not exhaustive). Read what WP29 says about informed consent, because in addition to mentioning the nature of the information and the essential principles involved in the field of informed consent, there are many guidelines on the form and manner in which the information should be provided to the data subject. In line with the updated European Data Protection Board guidelines on consent, controllers are free to develop their own methods of proof of consent in a way that does not interfere with their day-to-day operations. However, this should not lead to excessive processing of additional data by controllers. This means that organizations should have enough data to prove that consent has been obtained, but they should not collect more information than necessary – to ensure data minimization.
The GDPR does not contain specific provisions on capacity to consent, but capacity issues are associated with the notion of “informed” consent. If you have more than one reason to carry out a data processing activity, you must obtain consent for all such purposes. Thus, if you store phone numbers for marketing and identity verification purposes, you will need to obtain consent for each purpose. Parental consent does not automatically expire when the child reaches the age at which they can consent for themselves, but you should keep in mind that you may need to update consent more regularly. Specific: consent must be given in such a way as to clearly indicate the purposes for which it is requested. If multiple purposes are required, each purpose must be identified with a separate consent option. For example, a document or long page that lists multiple purposes in small print with a single “I agree” box at the bottom is not sufficient because the single consent would not be specific to each of the many different purposes. “Consent should not be considered to have been given voluntarily where the data subject has no real or free choice or is unable to refuse or withdraw consent without prejudice.” There is also a difference between consent and express consent, although the line is thin. Finally, a reminder of companies outside the EU that process personal data of EU citizens (and the processing is close to everything you can think in terms of personal data of the data subject): The GDPR and consent rules also apply to you. Consent means giving people real choice and control over how you use their data.
If the person has no real choice, consent is not given voluntarily and is invalid. Before you start developing solutions and tools, it`s important to put in place your consent mechanisms, which also require you to know where you need consent (what activities are necessary to process personal data), the consequences and associated obligations, and how you will comply with the GDPR`s many consent requirements. Users must also take a specific step to signal their consent. This can be to check a website box or select an application setting. Consent by silence or omission of information is not possible for GDPR reasons. Consent is probably the most well-known and the most often mentioned, but that does not mean that it is always the most appropriate, as I said. In addition, as indicated with consent as a legal basis, there are several additional obligations and rights for data subjects who have consented to the processing of their data. You will need to review and update your consents if your purposes or activities go beyond what you originally stated. Consent will not be precise enough if the details change – there is no “development” of consent. Recital 32 also clarifies that electronic requests for consent should not unnecessarily disturb users. You need to think about how best to personalize your consent requests and methods to ensure clear and complete information without confusing people or disrupting the user experience – for example, by developing user-friendly multi-layered information and just-in-time consents.
Consent under the GDPR is a tricky issue for many reasons. The main reason has a lot to do with the scope of the GDPR and the type of consent. However, let`s look at what the WP29 guidelines say on consent on this. First of all, it must be obvious that consent has been given to a data processing activity. By definition, this is almost tantamount to saying that the person concerned must have taken a free, informed, specific and unambiguous act in which there is no doubt.