When the General Data Protection Regulation (GDPR) is directly applied throughout the European Union on the 25 May 2018, it will be necessary to obtain explicit consent from users to collect their personal data on certain occasions.
But what is explicit consent? In which specific cases does it need to be obtained? We resolve these questions about the GDPR (EU) 2016/679 and others in the following post.
This post is also available in Spanish.
Table of contents
GDPR: what is explicit consent?
In principle, the definition and requirements of explicit consent should be the same as those of general consent, as quoted in the GDPR:
“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The GDPR establishes a formal requirement to obtain consent and so ensure that it is unambiguous: the consent should be collected by a statement or by a clear affirmative action.
The term “clear affirmative action” gives the new GDPR special importance and removes the possibility of tacit consent or the classic little windows with pre-ticked boxes that were allowed with the previous legislation.
Additionally, the British Information Commissioner’s Office (ICO) explains that the requests for consent must be:
So, what is the main difference with general consent?
The difference with explicit consent lies in the fact that it must not be open to free interpretation and must be collected in a precise and clear way.
The distinction is therefore that those responsible for the data will have to ensure that they obtain said consent in an indisputable manner.
As specified by the British ICO, “the statement to obtain explicit consent must specify the nature of the data to be collected, the details of the automated decision and its effects or the details of the data that are going to be transferred and the risks of said transfer”.
When is explicit consent from clients necessary?
The GDPR establishes the situations in which consent as well as being unambiguous, as indicated, must be explicit:
When sensitive data is being processed (article 9.2.a GDPR)
These are given special protection in the regulation, either due to their nature or the relationship they could have with people’s fundamental rights and freedoms: racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic data, biometric data with the objective of exclusively identifying an individual and data related to health or sex life and/or sexual orientation.
When automated decisions are adopted and in the creation of profiles (article 22.2.c GDPR)
These practices that are carried out in digital advertising, although they provide numerous benefits, can also involve significant risks for people’s rights and freedoms. Therefore, to legally process the data, the explicit consent of the interested party would be required.
When international transfers are made (article 49.1.a GDPR)
The GDPR establishes that it will be possible to transfer data to countries without an appropriate level of protection if the exceptions for transfer between them are observed, obtaining the reinforced consent of the interested party.
The interested party must expressly consent to this proposed transfer, after having been informed of the eventual risks to them from these transfers.
Verifiable a posteriori, the key to explicit consent
In these cases, it is considered appropriate to raise the level of control the interested parties have over their personal data and therefore the regulation demands that individuals accept this processing by a clear written statement, electronic methods such as an electronic signature, a verbal statement or by ticking a box on an Internet website.
However, as indicated in article 7.1 of the European Regulation, it is important to remember that consent must be verifiable a posteriori and those who collect the personal data must be able to demonstrate that they have obtained the consent of the person affected.
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented
to processing of his or her personal data."
art. 7.1 GDPR
The obvious way of being able to demonstrate indisputable, explicit consent is through a written statement signed by the interested party, preferable to a verbal statement for example, which is much more difficult to prove if it comes to that.
In addition, within a digital context, this signed, written statement may be achieved through the use of an electronic signature, recommended directly by GT29 - an independent advisory body integrated by the Data Protection Authorities of all the Member States, the European Supervisor for Data Protection and the European Commission - in the document Guidelines on Consent under Regulation 2016/679.
In this way, all possible doubts and the potential lack of evidence of obtaining express consent are removed.
With all that is stated above, companies should adapt the mechanisms they use to obtain consent to respect the new vision of the regulation, in order to ensure that it is free, informed, specific, unambiguous and, in the aforementioned cases, explicit.
Being able to use tools that demonstrate users’ consent so that their free will is not in doubt is one of the most important challenges that those responsible for data processing in companies will have to assume and where Signaturit’s electronic signature is the best option.
If you have any questions about how to obtain explicit consent with our electronic signature solution, please send us an email: firstname.lastname@example.org or call us on 93 551 14 80.
This post is also available in Spanish.