Can I demonstrate freely given, specific, informed and unambiguous consent?
In our fourth “The Articles” Series post we look at Article 7 – Conditions for consent. This follows on from our previous post on Lawfulness of Processing that concluded “consent should be the basis for processing PII for behavioural advertising”.
When processing PII of EU data subjects based on consent from the data subject then this consent must be:
Freely given
Consent should not be made mandatory for PII that is not related to the service or contract being provided.
Specific
Controllers must request specific consent for each type of processing they intend to do on an individual’s PII. This may require multiple check boxes or multiple other specific consent actions.
Informed and unambiguous
When consenting the individual must be clear what processing they are consenting to. In addition the identity of the Controller must be made clear at the point consent is requested.
The Controller must ensure the request for consent is in plain language that the intended audience will understand.
The data subject must consent via an affirmative action
When giving consent individual’s must make clear actions like ticking a box. Tick boxes must not be pre-ticked and each action must be for a specific consent. A single tick-box should not cover multiple types of processing.
Controllers must not infer consent through silence, inactivity or from previously given consent not specific to the processing.
Consent must be given separately from all other terms and conditions
Consent for processing PII should be given separately and be clearly distinguishable from all other matters, such as the terms and conditions of a website.
The data subject must be able to withdraw consent as easily as giving consent
An individual must be able to withdraw consent at any time as easily as when they originally gave consent. It should be clear to them how they could withdraw the consent at the time of giving consent.
If an individual withdraws consent then previous processing is not affected but all further processing must stop for PII which consent has been withdrawn.
The Controller must be able to demonstrate that consent has been given
The Controller must have evidence consent has been given for all processing of PII. This is an important step up from the Data Processing Directive, whilst it is recommended that evidence of consent be maintained the DPD does not specifically address this.
The GDPR places the burden of proof directly with the Data controller, the controller should record consent and the conditions under which consent was given.
Double opt-in can be used, where a Controller emails the individual a confirmation email which the individual has to respond to, that provides further evidence of affirmative action.
Other conditions
There are additional conditions applicable to children, see Article 8 of the GDPR, and processing special categories of personal data, see Article 9 of the GDPR.
Relying on Consent
Where a controller is relying on consent to process PII then it must meet the GDPR standard. If it does not then the consent conditions must be updated to comply and consent re-requested from the data subject. Alternatively one of the other conditions for processing must be met if possible, for example, Legitimate Interest.
Controversial
Consent is likely to be another controversial aspect of the GDPR particularly within the Direct Marketing community, bearing in mind the significant increases in the penalties for non-compliance over current legislation.
The Article 29 Working party is due to release its guidance on the use of consent, from the ICO “The Article 29 Working Party are due to publish guidelines on consent in 2017 and the latest timetable is for this to be agreed and adopted in December 2017”.
Draft consent guidance is also available from the ICO here .
If you would like to know more about how GDPR Auditing can help your organisation with the GDPR or have any suggestions of future posts for this series please email us at info@gdprauditing.com or the author vakis.paraskeva@gdprauditing.com.
© GDPR Auditing 2017.
The information provided in this post is for general information only and is not intended to provide legal advice.