The General Data Protection Regulation (GDPR) has introduced a number of new terms and redefined the existing ones. We are now slowly inclined to believe we are getting the basics of what GDPR is. However, consent – one of the most talked-about GDPR-terms, is a great example of how it is not quite so.

Consent and explicit consent is one and the same, right? Not exactly.

What is explicit consent?

Explicit consent is not directly mentioned in the GDPR definition of consent. However, “regular” consent and explicit consent share all the same characteristics and prerequisites. They should be freely given, specific, informed, and unambiguous to live up to a high GDPR standard for valid consent.

The main difference between consent and explicit consent is in the form or a way they are given or expressed by the data subject. The data subject can give consent either by a statement or by clear affirmative action. When the consent is given by a statement it is considered to be explicit.

Consent is one of the six lawful bases for processing personal data. A simple GDPR explanation of consent, as specified in Article 4, describes consent as:

“… any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Characteristics of compliant consent

Freely given

This means you have presented data subjects with a genuine choice and made it possible for them to refuse or withdraw their consent at any given time. There are a few situations where it is arguable if consent can be considered freely given. This applies to situations where the element of pressure or compulsion is present.

For example, in employee-employer relationships, where there is an uneven distribution of power, which can affect employees to give consent to avoid unpleasant situations at work. We covered this topic in-depth in our blog; “Processing personal data of employees.”

Specific

For consent to be considered specific, it must be given in relation to one or more specific purposes, and the data subject needs to be presented with the choice in relation to each of them. As the WP guidelines specify, in order to comply with the element of specific, you must apply:

➡️Purpose specification as a safeguard against function creep,
➡️Granularity in consent requests, and
➡️ Clear separation of information related to obtaining consent for data processing activities from information about other matters

Informed

Simply put, the data subject needs to be informed about what they are agreeing to before you collect their consent.

Unambiguous

As the WP guidelines explain: “… consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing.”

How to obtain explicit consent?

There is more than one way to obtain explicit consent.

 

A written statement signed by the data subject would be considered clear evidence of explicit consent. However, in a digital era, the explicit consent would be obtainable by filling the online forms or scanning the written and signed statement, by sending an e-mail or even using an electronic signature.

The WP guidelines state that, in theory, the oral statement can also be considered explicit consent. However, it can get pretty difficult to provide evidence of such consent later on.

You can obtain explicit consent from a website visitor by offering Yes and No checkboxes and providing a statement that clearly indicates consent.

On the other hand, the clear affirmative action could include choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity do not constitute consent.

When do you need to collect explicit consent?

Explicit consent is required when there are certain situations where there is a serious data protection risk and a higher level of control over processing personal data is required. WP guidelines mentioned a few situations where you need to obtain explicit consent:

➡️ when processing sensitive personal data
➡️ when transferring data to third countries or international organizations in the absence of appropriate safeguards pursuant to Article 46
➡️ on automated individual decision-making, including profiling.

Obtaining explicit consent when processing sensitive personal data

Processing sensitive personal data that reveal racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, and biometric data is prohibited. However, there are few exemptions from the rule. One of those applies if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition may not be lifted by the data subject.

Sensitive personal data - special category under the GDPR

Transferring data to third countries

When you are transferring personal data to a third country or international organization, you can do so with no specific authorization if this territory, third country, or organization ensures an adequate level of protection (this is decided by the EU Commission). However, there is still a possibility for you to transfer personal data if such a level of protection is not present if the data subject gives you explicit consent. In this case, you ought to disclose full information on potential risks due to a lack of appropriate safeguards.

Automate decision-making

There are three situations where automated decision-making (including profiling) is compliant. When it is necessary for the performance of the contract between the data subject and the data controller. When such processing is authorized by EU or Member State, and finally when it is based on explicit consent.

If you are relying on explicit consent for automated decision-making, you will have to implement “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.” (Art. 22)

How to demonstrate explicit consent?

Demonstrating consent can be a very delicate task. The obligation to demonstrate GDPR compliant consent is always an obligation of a data controller. However, GDPR does not prescribe which method to use or how to operationalize the process.

After the processing activity ends, proof of consent should be kept no longer than strictly necessary for compliance with a legal obligation, exercise or defense of legal claims.

However, the controller must be able to prove that a data subject in a given case has consented. As long as a data processing activity in question lasts, the obligation to demonstrate consent exists.

But what if data subject asked for their data to be deleted, and later on you are asked to provide proof of consent? This may complicate this even further. Instead of finding a semi-solution, consent management software can be the safest way to manage consents. It can help you consolidate your data, give you a stamp of consent given, and enables you to demonstrate compliance for any data subject on any level at any point in time even when they exercised right to be forgotten.