The new European General Data Protection Regulation (GDPR) introduces many changes in the way personal data is collected and processed, but one of the most significant is found in the concept of consent.
This new regulation reinforces the user's willingness so that their decision does not cast doubts or lend itself to ambiguities, in addition to being demonstrable thanks to the principle of proactive responsibility.
In the following post we analyse this concept and what those in charge should demonstrate in order to comply with the GDPR in relation to consent.
This post is also available in Spanish.
Table of contents
Consent is the act by which the interested party accepts the processing of their personal data. Consent is therefore no more than the demonstration of the user's willingness to share their personal data.
The new GDPR maintains this definition with respect to the previous Directive but modifies the necessary circumstances in which this consent must be granted.
Article 4.11 states:
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
This change means that what was previously known as tacit consent is no longer valid. In actual fact, this is clearly specified as: “silence, pre-ticked boxes or inactivity should not therefore constitute consent."
Consent must be given through a clear affirmative act that reflects the willingness to accept the processing of personal data.
This could include clicking an opt-in box on a website on the internet, with a written statement for example, including by electronic means, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposal for the processing of their personal data.
Here another change occurs in the new data protection regulation in respect of children's data and consent.
The processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years old, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may adopt a by-law for a lower age for those purposes provided that such lower age is not below 13 years.
In addition to compliance with the aforementioned requirements, several details must be able to be verified afterwards, as consent is required to be demonstrable.
Thanks to the principle of "accountability" or "proactive responsibility", it is necessary to establish effective mechanisms to demonstrate the willingness of all people who grant their consent. It is fundamentally about keeping evidence of consent.
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing
of his or her personal data.”
Article 7 GDPR
To be able to say that consent is demonstrable, companies must be able to document the following:It should be possible to identify the owner of the data by his/her full name or other information that can identify him/her. In addition, it must be possible to demonstrate whether the consent has been withdrawn or not. In cases where it has been withdrawn, it must be possible to demonstrate when it was withdrawn.
If the consent is made in writing and online, it is necessary to obtain it with a timestamp.
In the eIDAS Regulation, an electronic time stamp is defined as "data in electronic format that links other data in electronic format with a specific moment, providing proof that the latter data existed at that moment."
In the case that consent is obtained in writing and offline, it is necessary to provide a copy - with date and signature of the interested party - of the document (consent) with its informative clauses.
The GDPR puts a lot of emphasis on transparency: the information set out in Articles 13 and 14 must be provided and the notices must be clear, correct and informative.
The GDPR recommends providing this information in a layered system:
- A first layer in which the basic information must be presented in a way that is easily visible to the interested party and with the most relevant aspects related to the processing of that information.
- A second layer where the information is collected in a more detailed way that would be accessed through a link.
In the first layer, the following aspects must be reported in all cases:
- Party responsible for the processing of the data: including its company name.
- Purpose of the processing: management of the subscription for example.
- Lawfulness of processing: the legal basis on which the processing is based, which is regulated in art. 7 GDPR, being the consent of the interested party in this specific case.
- Recipients: parties in charge of the processing, inside and outside the EU.
- Rights: a brief reference can be made to the existence of the most common rights and a reference to the corresponding heading in the additional information.
- Additional information: finally, an indication of where or how the additional information in the second layer can be accessed must be clearly included. For example, with the following template: "You can consult the additional and detailed information on Data Protection at the following link...".
More information > GDPR: when do you need explicit consent from your clients?
Signaturit: 4 quick and effective solutions to obtain your clients’ unequivocal and/or express consent
To transform tacit consent into unambiguous and/or express consent, Signaturit offers 4 specially designed solutions for the occasion that will allow to automate this legal requirement according to the particular needs of each company as we explained in this previous post.
The consent of the interested parties is presented as "the bastion of the legitimate willingness of those affected" and no shortcuts are conceived to obtain it nor are there any loopholes when it comes to demonstrating it.
Companies must be aware today, less than a month until the GDPR enters into force, of the legal and practical implications of this change on their daily operations.
They should review the way in which they obtain and register this consent, eliminate those practices that fall within the so-called tacit consent and adopt the necessary mechanisms to demonstrate the user's lawful consent.
This post is also available in Spanish.