More often than not when we are approached with a GDPR question, it evolves around consent. The need to consent is, of course nothing new. But, not only does the GDPR put a spotlight on it, we also have to meet some very specific criteria when recording consent. Let’s dive in.
Legal basis for processing
First of all, consent is only one of the six legal grounds for processing personal data.
We’ve spoken about the six legal grounds for processing personal data before on this blog as well. You should think of it as choosing your lane on the highway. You choose the lane that’s best for the data process you are working on and you stick with it. When preparing for GDPR compliance, a lot of people only focus on consent.
I like to think of consent as my emergency lane. Why? Consent comes with a number of requirements. We have to make sure that we obtain specific consent, consent will expire, we need to provide the data subject with quite a bit of information and on top of that, consent can be (and should be!) very easily withdrawn. This is why if we can base processing on another legal basis than consent, such as legitimate interest, we should do so.
When determining how you handle personal data, you should always start with outlining the process and define, among other things, what the legal basis for processing is. The easiest way of doing this is to create a Data Processing Inventory. If you’d like to know more about how to do this, have a look at this blog.
Marketing processes and the GDPR
When it comes to our marketing processes though, consent will be the legal basis for most of what we do. So how to approach this? Firstly, we need to separate consent and opt-in. Often these two get grouped together but when we refer to consent, we talk about a data subject agreeing with your privacy statement, that they consent to you processing their data. When we get an opt-in, that means we can actually send marketing emails to this person.
Conditions for consent
Article 7 of the GDPR outlines the conditions for consent which can be roughly understood like this:
- You have to be able to demonstrate the data subject consented to the processing of the personal data.
- You’ll have to make sure that you separate the consent request from any other content and the text is easy to access and understand.
- The data subject can withdraw their consent at any time and this has to be as easy as giving consent.
- Consent has to be freely given so the performance of a contract or offering of a service can’t be dependent on consent.
Besides article 7, we’ll have to look at a few recitals as well, namely recital 32, 42 and 43. We could summarise the requirements outlined in these as follows:
- Consent has to be given by ‘a clear affirmative act establishing a freely given, specific informed and unambiguous indication of the data subject’s agreement’
- Consent can be recorded using a tick box on a website.
- A pre-ticked box is not allowed.
- Silence or non-action can never be considered as consent.
- Consent has to be given for all separate processing activities for the same purposes. If there are multiple purposes you’ll have to record consent separately.
- The consent shouldn’t be disruptive to the service for which it is provided.
- The data subject should be at least aware of who the controller is and the purposes of processing
- We can’t assume consent is freely given if the data subject doesn’t have a free choice or isn’t able to refuse or withdraw consent without consequences.
- If there is an imbalance between the controller and the data subject, for example when a public authority is requesting consent, it’s unlikely consent is freely given.
- Consent isn’t assumed freely given if the data subject doesn’t have the chance to consent to separate processes separately or when the performance of a contract or service depends on this consent.
That covers the conditions of freely given consent and the burden of proof. When you require consent for the processing of special categories of data or when you require consent from children, the list gets even longer.
Information to be provided to your data subjects
There is one more article that I’d like to explain in order for us to understand what we need to do on our websites before we can record consent in a GDPR compliant way, and that is article 13. Article 13 outlines the information we have to make available to our data subjects when we collect their personal data. In my opinion, this information doesn’t all have to be included in the text accompanying the checkbox. To me, that wouldn’t make this text easy to understand at all! I believe we can refer to our website’s privacy statement instead. What should be included? The following:
- The identity and contact details of the controller (that’s you, as an organisation processing personal data and making decisions based on it) and if relevant, the controllers representative. A controller might need a representative based in the EU when the controller doesn’t have offices in the EU for example.
- The contact details of the Data Protection Officer (DPO) if the organisation needs one.
- The purposes of processing and the legal basis for processing personal data.
- The recipients of the personal data you’re processing
- Any third countries you intend to transfer the data to and whether protective measures are in place for example when these countries aren’t in the EU. Safeguards can be Corporate Binding Rules or a Data Processing Agreement.
- How long you intend to store the data for or the criteria you will use to make that decision.
- The fact that the data subject has the right of access, rectification or erasure of personal data as well as the option to have processing restricted and the right to data portability.
- You’ll have to explain the right to withdraw consent
- Explain to your data subject they have the right to file a complaint against you with the Data Protection Authority.
- Whether you make any decisions solely based on automation.
Now you see why we recommend arguing another legal basis other than consent when you can. However, when should you take consent into consideration? You should make sure you obtain consent when you ask your website visitors to fill in a form, connect with you on a chat function and you intend to store their personal data gathered in your CRM system. Technically, the need to have an opt-in before emailing your data subjects marketing content is outlined in the PECR. However, we believe that the GDPR determines how exactly you communicate about privacy and therefore it also dictates how you should record your opt-in.
Consent is an important part of the GDPR and this can be confusing for anyone without a legal background. I'd be happy to talk you through what it takes to apply consent in the right way.