When the new European General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, companies, freelances and institutions will be obliged to bring themselves up to date on this matter if they want to comply with these requirements.
One of the most important new requirements being introduced relates to the way in which the data controllers need to obtain the consent of the data subjects (the owners) in order to process their personal data and, above all, how to demonstrate that they have done so lawfully.
In this post, we will give a brief summary of all the elements comprising consent and what solutions Signaturit is providing to help companies comply with the regulation on this specific point.
This post is also available in Spanish.
Table of contents
Processing personal data lawfully first of all means that the data is processed thanks to the data subject’s consent, or in accordance with another legitimate basis established by the GDPR in Art. 6 as we explained in our previous post.
So then, if the lawful basis for processing is the data subject’s consent, the data controller must comply with the requirements laid out in the Regulation for obtaining and demonstrating said consent in accordance with the same.
To make it easier to comply with the requirements, the Article 29 Working Party (hereafter to be referred to as 29WP), which is a collection of all the Member States’ data protection authorities, has published some Guidelines where the concept of consent, in light of the Regulation and requirements, is described comprehensively.
Article 4 of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Thus, at the root of the definition, the Guidelines define a series of fundamental elements when it comes to assessing whether any data subject’s consent is valid under the GDPR:
Unambiguous: the consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. Silence or inactivity on the part of the data subject or using pre-checked boxes will be invalid as of 25 May. It must be “obvious” that the person has consented to the data being processed.
Freely given: consent will not be valid if there is an imbalance of power (between an employee and an employer, for example), or when it is contingent on a contract being executed.
Specific: consent must only be sought to process personal data for a particular purpose. This means that data controllers need to obtain separate permission for each specific purpose.
Withdrawable: data subjects have the right to withdraw their consent at any time.
Informed: consent will be considered to have been given in a fully informed manner when the following information has been provided to the data subject as a minimum:
(1) the controller’s identity;
(2) the purpose of each of the processing operations for which consent is sought;
(3) what (type of) data will be collected and used;
(4) the existence of the right to withdraw consent;
(5) information about the use of the data for decisions based solely on automated processing, including profiling;
(6) if the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.
Clear and plain: using clear and plain language, that can easily be understood by the average user, is indispensable. It must also be distinguished from other matters; for example, it is not admissible to obtain consent in the middle of a paragraph of terms and conditions.
Data subjects must give their consent by way of an explicit declaration in the following situations:
- Where special data (racial or ethnic origins, political opinions, religious or philosophical beliefs, union membership, genetic data, biometric data for the purpose of identifying an individual exclusively, data relating to health or sex life and/or sexual orientation) is to be processed.
- For data transfers to countries outside the EU.
- For making automated decisions, including for profiling.
If the GDPR requires “clear and affirmative action” for processing “normal” data, a higher standard is required to obtain explicit consent.
In the electronic context, the data subject may give an explicit declaration of their consent by filling out a form, by providing a scanned document or by using an electronic signature, as recommended by the WP29.
Sanctions under the new European General Data Protection Regulation
Processing data without the data subject’s explicit consent.
By virtue of the GDPR, data controllers need to demonstrate that they have obtained valid consent. They must also ensure that they continue to have the consent as, if it comes to it, the burden of proof will fall on them.
The controller will also need to demonstrate that the data subject was informed and that they complied with all the relevant criteria for valid consent. The basis of this obligation is the issuing of accounts, which must be stored in order to provide the best evidence of compliance to defend a claim made by European citizens or the competent authorities.
It is important that data controllers revise their processes and records to update them in line with the current ones, so as to ensure that the consent obtained prior to 25 May complies with the new requirements.
In practice, this means that if the processing carried out prior to the GDPR is based on consent and this does not comply with the new requirements of the European regulation, the data controllers must assess whether they can base this processing on other legal grounds, bearing in mind the conditions laid out by the GDPR, or else they will have to obtain the data subject’s consent again, in accordance with the current requirements.
Signaturit’s electronic signature, a fast and cost-effective solution for obtaining unambiguous and/or specific consent
Manually seeking the GDPR’s informed, unambiguous and/or explicit consent, either on paper or using basic computer tools, is entirely unsuitable for any innovative company concerned about the efficiency and legality of their internal processes.
To this end, below you will find a simple explanation of the different options we have designed especially for this purpose. These will enable you to automate this legal requirement in line with the particular needs of your company:
As the most basic level for demonstrating that consent has been given, we have developed a “script” that can be incorporated into any website or application.
When a person fills in the form to give their consent for their personal data to be processed, Signaturit will be in charge of saving this record, as well as the terms and conditions that the user accepted when clicking on the “Accept” button.
Some use examples of this solution are accepting cookies or accepting a company’s general conditions, if doing so is necessary to carry out a transaction.
In this instance, in addition to capturing the electronic evidence of the context, we add a second authentication element, by way of validating the consent through an OTP (one-time password), a temporary validation code that we send via SMS and/or email.
In both instances, in addition to collecting the same data as in the Level 1 Solution – IP address, browser and the date and time of action – we also have the data subject’s email and/or the mobile number.
These both provide a higher level of confidentiality than the first solution offered when it comes to identifying the owner.
A perfect use example for this solution would be when you need to renew consent that has already been granted.
Advanced consent has the ability to exclusively identify the person consenting. This solution has been designed for those cases in which the data subject’s consent needs to be explicit (as well as ambiguous).
To this end, the data subject is invited to digitally sign the contents of the consent form on his or her smartphone, tablet or computer, using handwriting by signing with his or her finger (for smartphones and tablets) or with the mouse (for laptops or desktop computers).
This is our advanced electronic signature, for which we collect a set of data which enables us to identify the signatory exclusively and explicitly.
The level 4 solution is based on the level 3 solution, to which the following is added:
an additional step, which is that of attaching the photograph of the identity document (ID Number or Passport) of the person granting his or her consent.
For the process to be finalised, this step must be completed once the contents of the consent have been signed.
Adapting the mechanisms for collecting and processing data in order to comply with the Regulation’s new vision is one of the most significant challenges that data controllers or processors will have to face.
Signaturit has therefore developed 4 solutions that will help you comply with the new European regulation in a practical way and with the highest legal guarantees.
These tools, which have full legal validity, will enable companies to certify that a data subject gave his or her consent at a particular time, and which conditions they granted it for, which will resolve the burden of proof issue.
Should you have any questions about how to obtain consent with the solutions we have outlined in this post, you can download the guide you will find below, where we explain our services in greater detail. You may also contact us by emailing firstname.lastname@example.org or calling us on 93 551 14 80.
This post is also available in Spanish.