The General Data Protection Regulation (GDPR) has introduced a number of new terms and redefined the existing ones.
We are now slowly inclined to believe we are getting the basics of the GDPR. However, consent – one of the most talked-about GDPR terms, is a great example of how it is not quite so, especially when it comes to explicit consent.
Consent and explicit consents are one and the same, right? Not exactly.
What is explicit consent?
Explicit consent is not directly mentioned in the GDPR definition of consent. However, “regular” consent and explicit consent share all the same characteristics and prerequisites. It should be freely given, specific, informed, and unambiguous to live up to a high GDPR standard for valid consent.
The main difference between consent and explicit consent is in the form or way they are given or expressed by the individual (data subject). The data subject can give consent either by a statement or by clear affirmative action. When consent is given by a statement it is considered to be explicit.
“… any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Characteristics of compliant consent
1. Freely given
Freely given consent means you have presented data subjects with a genuine choice and made it possible for them to refuse or withdraw their consent at any given time. There are a few situations where it is arguable if consent can be considered freely given.
For example, in employee-employer relationships, where there is an uneven distribution of power, which can affect employees to give consent to avoid unpleasant situations at work.
For consent to be considered specific, it must be given for each specific purpose, and the data subject needs to be presented with the choice in relation to each of them. In order to comply with the element of specific, you must apply:
- Purpose specification as a safeguard
- Granularity in consent requests
- Clear separation of information related to obtaining consent for data processing activities from information about other matters
Simply put, the data subject needs to be informed about what they are agreeing to before you collect their consent.
Consent requires a statement from the individual or a clear affirmative action, which means it has to be given through an active motion or declaration. It must be obvious that the data subject wanted to give you their consent.
When do you need to collect explicit consent?
Explicit consent is required when there are certain situations where there is a serious data protection risk and a higher level of control over processing personal data is required. WP guidelines mentioned a few situations where you need to obtain explicit consent:
- when processing sensitive personal data
- when transferring data to third countries or international organizations in the absence of appropriate safeguards pursuant to Article 46
- on automated individual decision-making, including profiling.
1. Processing sensitive personal data
Processing sensitive personal data that reveal racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, and biometric data is prohibited.
However, there are few exemptions from the rule. One of those applies if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law prohibits such processing.
2. Transferring data to third countries
When you are transferring personal data to a third country or international organization, you can do so with no specific authorization if this territory, third country, or organization ensures an adequate level of protection (this is decided by the EU Commission).
However, there is still a possibility for you to transfer personal data if such a level of protection is not present if the data subject gives you explicit consent. In this case, you ought to disclose full information on potential risks due to a lack of appropriate safeguards.
3. Automate decision-making
There are three situations where automated decision-making (including profiling) is compliant. When it is necessary for the performance of the contract between the data subject and the data controller. When such processing is authorized by EU or Member State, and finally when it is based on explicit consent.
If you are relying on explicit consent for automated decision-making, you will have to implement “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.” (Art. 22)
How to obtain explicit consent?
There is more than one way to obtain explicit consent.
A written statement signed by the data subject would be considered clear evidence of explicit consent. However, in a digital era, explicit consent would be obtainable by filling the online forms or scanning the written and signed statement, sending an e-mail, or even using an electronic signature.
In theory, the oral statement can also be considered explicit consent. However, it can get pretty difficult to provide evidence of such consent later on.
You can obtain explicit consent from a website visitor by offering Yes and No checkboxes and providing a statement that clearly indicates consent.
On the other hand, the clear affirmative action could include choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity do not constitute consent.
How to demonstrate explicit consent?
Demonstrating consent can be a very delicate task. Demonstrating compliant consent is always an obligation of a data controller. However, GDPR does not prescribe which method to use or how to manage the process.
After the processing activity ends, proof of consent should be kept no longer than strictly necessary for compliance with a legal obligation, exercise, or defense of legal claims. However, as long as a data processing activity in question lasts, the obligation to demonstrate consent exists.
But what if the data subject asked for their data to be deleted, and later on you are asked to provide proof that your communication up to that point was compliant? This may complicate things even further. Instead of finding a semi-solution, consent management software can be the safest way to manage consents.
It can help you consolidate your data, give you a stamp of consent, and enables you to demonstrate compliance for any data subject on any level at any point in time even when they exercised the right to be forgotten.