Have you thought about how you will obtain the consent of your clients to be able to process and use their personal data in all the interactions of your company with them starting May 25th, 2018?
On such date the new European General Data Protection Regulation (GDPR), also known as GDPR, will come into force across the European Union, and the companies will not be able to use the data of their clients unless they can demonstrate that they have their unambiguous consent for it (among other requirements).
In this post, we will explain exactly what the new GDPR refers to with the expression "unambiguous consent", what options exist to comply with this requirement, and how such unambiguous consent can be obtained in an easy, quick and cost-effective manner.
This post is also available in Spanish.
GDPR reinforces the protection of personal data
The new General Data Protection Regulation does NOT allow the tacit or implied consent of their clients to be able to proceed with the processing of their personal data.
One of the objectives of GDPR is to strengthen the data protection of European citizens. They must assume the value of their personal information as users of services and entrust their personal data only to those companies that can actively ensure their protection.
That is why consent to the processing of personal data acquires greater relevance in the new European Regulation. The tacit or implied consent is no longer accepted.
As of May 25th, 2018, the consent of the clients or users will have to be obtained in a manner that no doubts arise regarding their willingness to share their personal data.
Article 29 Working Party
The European Commission has created an independent consultative body called the Article 29 Working Party (WP 29), to help companies adapt to the new General Data Protection Regulation.
This WP29 is made up of the Data Protection Supervisory Authorities of all the Member States, the European Data Protection Supervisor (EDPS) and the European Commission - which performs secretarial functions.
On November 28th, 2017, the WP29 published the draft Guidelines on consent under the General Data Protection Regulation to facilitate understanding of the term "consent" under Regulation 2016/679.
What is unambiguous consent per the new General Data Protection Regulation?
Consent is one of the conditions of legality for the processing of personal data. The new GDPR has introduced some novelties regarding consent, in particular, its unambiguous nature..
What is consent?
GDPR defines consent in Article 4.11:
"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
Thus, GDPR expressly adds the unambiguous element in relation to the previous norm, which did not contemplate it (Directive 95/46 /EC).
This adjective requires the interested party to accept the processing of their personal data through a declaration, which can be made by electronic means.
Basically, it is a manifestation of will that is obtained independently to the fact of agreeing to a contract or accepting the terms and conditions applicable to a service.
Failure to comply with obtaining a free, specific, informed and unambiguous consent could result in an economic loss to the company in the form of fines and penalties regulated by the Regulation, as well as possible civil liability in favor of the affected party.
The explicit consent
The Regulation indicates that an explicit consent could be necessary to treat the following data:
- for special categories of data (article 9)
- for cross-border data transfers (article 49)
- for profiling activities (Article 22)
In these cases, it is considered appropriate to raise the level of individual control over personal data. An obvious way to ensure that the consent is explicit is through a written statement signed by the interested party.
In the digital context, this written declaration can be signed by using the electronic signature, a medium directly recommended by WP29 (4. Obtaining explicit consent). This eliminates all possible doubts and the potential lack of evidence in obtaining explicit consent.
In addition to unambiguous, consent must be free, specific and informed
The other consent requirements, in addition to being unambiguous, are also subject to analysis by the Article 29 Working Party:
For consent to be free, there must be a real option and control by the interested party.
In addition, the Article 29 Working Party states that consent will not be considered freely granted when the denial or withdrawal of consent implies negative consequences for the interested party.
The purposes of data processing must appear specifically and cannot be extended once the subject has consented to the collection and processing of their data.
The need for consent must be granular, that is, that there is a choice of consent for each purpose.
All this must be accompanied by specific and separate information for each of the consents.
If the controller does not provide information accessible to the interested party, the consent will not be valid.
The Article 29 Working Party states the minimum content of necessary information, indicating that in some situations it will be necessary to expand this information to guarantee that the individual understands the processing operations that will be carried out of their personal data.
It will not be valid to use extensive privacy policies
that are illegible or full of legal terminology.
Consent must be clear and distinguishable from other matters. Meaning that the relevant information cannot be camouflaged in a paragraph within the terms and conditions.
What information must be offered to the interested parties according to GDPR?
In general terms, the information that must be provided to the interested parties is:
- The need for data processing, as well as the purpose and the period (for how long the data will be treated).
- The rights of the interested party and how to exercise them.
- Information regarding the and/or Processor, as well as the Data Protection Officer in case there is one.
What happens with the consents obtained before May 25th, 2018?
The consents obtained prior to the date of application of GDPR - May 25th, 2018 - will only remain valid if they were obtained respecting the criteria set by the Regulation itself.
Meaning, when these are unambiguous consents of the will, and are also verifiable.
The WP29 advises that all companies review their systems and procedures for collecting personal data to ensure compliance with the requirements of the Regulation. It is likely that, in many cases, these systems and procedures must be updated.
Companies must also verify that the mechanisms to easily revoke consent are available, and that information is provided to the interested party about them.
Thus, to avoid the situation in which the processing of personal data is presented as illegal due to failure to meet the requirements of the new Regulation, it is recommended for the Data Controller to obtain again the consent of all those customers or users whose consent was obtained before May 25th, 2018, probably obtained without considering the requirements stipulated by the new GDPR.
What options do companies have to comply with the consent requirements?
The Regulation states that the manifestation of consent must be unambiguous, through a declaration or a clear affirmative act.
In its Whereas 32, GDPR says the following about the declaration or clear affirmative act:
“could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data” in a way that “silence, pre-ticked boxes or inactivity should not therefore constitute consent”.
It is therefore clear that tacit consent will not be valid as of May 25th, 2018.
The Article 29 Working Party establishes that the concept of "clear affirmative action" implies the performance of an active motion or declaration by the interested party to show compliance with a specific processing of personal data.
In case data is obtained online, it will be valid to insert a box in a web form that allows proof that the interested party consents to the proposed processing of their personal data. As we have already mentioned, this box cannot be pre-marked in any way.
Although it may seem simple to include a box on a website that the user must tick to register his/her consent, to be legitimate, it must also be verifiable. No longer is it enough to obtain it in accordance with the provisions of GDPR, we must also be able to prove that we have done so.
Consent must be verifiable
thanks to the principle of "accountability".
What must be done to make consent verifiable?
To be able to say that the consent is verifiable, companies must be able to prove and document the following:
Who granted the consent?
It must be possible to identify the owner of the data by name or other elements that may identify them. In addition, it must be possible to demonstrate whether the consent has been revoked or not. In case it has been revoked, it must be possible to demonstrate when it was revoked.
When and how was consent granted?
If the consent is made in writing and online, it is necessary to obtain it with a timestamp.
In the case that consent is obtained in writing and offline, it is necessary to provide a copy - with date and signature of the interested party - of the document (consent) with its informative clauses.
What information did the person who consented receive
To comply with the requirement established by GDPR for more information, it is recommended to implement an information model by layers or levels:
First layer: basic information
This basic information must be presented in a way that is easily visible to the interested party. To identify it, a title such as "Basic information about data protection" should be used.
Second layer: additional information
This information must complete, with all the details, the summarized information, as well as add additional information required by GDPR, and not included in the first layer.
It is essential to have a copy of the form used to obtain the data of the interested party, or a copy of the data capturing system, with the information provided to the data owner.
- Online forms: you must have captures of the information layers with their corresponding timestamps.
- Forms offline: you must have the form on paper, with the date and the signature of the data owner, and with the informative clauses that were provided.
- Double opt-in: this is the case in which the interested party is sent a verification email to confirm their registration or subscription. In this email you can insert the information layers and capture the process.
How can unambiguous consent be obtained easily, quickly and cost-effectively?
As we have said, we must bear in mind that consent must be verifiable: those who collect personal data must be able to prove that the interested party has given their consent.
For this reason, it is important to review the consent registration systems, so that it is possible to verify it during an audit.
The Data Controller is free to implement the manner in which consent is obtained that best suits the internal processes of the company, as well as the most appropriate technical and organizational measures to demonstrate the correct procedure for obtaining the information.
The electronic signature of Signaturit is a fast and cost-effective solution to obtain the unambiguous and / or explicit consent.
To transform the tacit consents into unambiguous and / or explicit, Signaturit's electronic signature is presented as the best solution.
A practical, safe and legal mechanism that converts consent through electronic signature into a clear affirmative act, which is what the GDPR requires.
The electronic signature, with its timestamp, allows to prove the integrity of the consent, converting this act in an easy and safe process with full legal guarantees.
Those companies that are in motion to comply with the new European General Data Protection Regulation before May 25th, 2018 have only one option: to carry out an exhaustive analysis of how they collect and process data of natural persons, and verify whether they fully comply with the General Data Protection Regulation.
Companies cannot trust that they are currently complying with the new GDPR, since it introduces important changes in relation to the previous norm.
In addition, it is important to state that, along with the high penalties established for breach of any of its requirements, we must consider the fact that the burden of proof lies not on the claimant, but on the defendant.
Adapting the mechanisms of collecting and processing to comply with the new vision of the Regulation, which reinforces the user's consent so that his/her will does not cast doubt, is one of the most important challenges that Data Controllers will have to assume.
If you have questions about how to obtain unambiguous consent with our electronic signature solution, please send us an email to firstname.lastname@example.org or call us at 93 551 14 80.
This post is also available in Spanish.