What is a GDPR-compliant consent?
In the context of the EU General Data Protection Regulation (GDPR), consent is one of the six lawful bases for processing personal data, so there are several available legal grounds you can rely on.
You are not necessarily obligated to obtain consent for processing personal data, as long as your processing is based on one of the legal bases and you can assure the lawfulness of that processing.
However, most organizations will find that if they want to continue with their usual processing activities – for example, in marketing activities. If you rely on consent, you will have to obtain consent that meets certain requirements– it has to be “freely given“, “specific“, “informed” and “unambiguous“.
We will go over each requirement and back it up with EDPB guidelines to provide more insight into the practical side, as well as the basics of consent management.
Consent as one of the lawful bases for processing
Before you start to process personal data, you should identify and document a valid lawful basis for collecting, processing, storage, or usage of personal data.
There are six legal bases for processing personal data:
- Consent- the individual (data subject) gives consent for the processing of personal data for one or more specific purposes.
- Contract- when processing is necessary for the performance of the contract of which the data subject is the party.
- Legal obligation- the processing of personal data is necessary for a company to comply with the law.
- Protection of vital interests- The processing is necessary to protect someone’s life or freedoms.
- Public task- the processing is necessary for performing a task in the public interest.
- Legitimate interests- the processing is necessary for the purpose of data controllers’ legitimate interests or the legitimate interests of a third party.
Generally, consent can only be an appropriate lawful basis if the individual is offered control and a genuine choice when accepting or declining the terms that are offered.
Relying on consent is by no means an easy option. It involves a lot of elements that need to be satisfied for consent to be GDPR compliant. If any of those elements are lacking, you are risking high GDPR fines.
Choosing the right lawful basis will depend on the purpose of the processing and specific circumstances.
It is advised to conduct DPIA or Data Protection Impact Assessment before you start processing personal data in order to successfully identify a proper lawful basis. In some cases, you will conclude that consent is the only proper way to collect data.
Elements of compliant consent
GDPR defines requirements for compliant consent in Article 4(11):
“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The purpose is to give individuals control over their data. So, the right question to ask when collecting personal data is: “Have you given the individual a real choice and real control over the processing of their data?”
If you collect and process personal data based on consent, note that you will also have to be able to demonstrate that the data subject consented to the processing.
1. FREELY GIVEN CONSENT
Freely given consent means you have presented data subjects with a genuine choice and made it possible for them to refuse or withdraw their consent at any given time. Individuals shouldn’t be misled or intimidated into giving consent.
However, there are a few situations where it is arguable if consent can be considered freely given. This applies to situations where there is an element of pressure or compulsion.
For example, in employee-employer relationships, where there is an uneven distribution of power, employees can give consent to avoid unpleasant situations at work, and in that case, this consent will not constitute as GDPR-compliant consent.
If an individual wants to withdraw their consent, they should be able to do so at any time in the easiest possible way. As a rule of thumb, they should be able to withdraw it as easily as they gave it. When you collect consent, you should also notify your contacts of the way they can withdraw it.
2. CONSENT HAS TO BE SPECIFIC
For consent to be considered specific, it must be distinguishable from other matters and cover all processing activities.
If there are multiple purposes, then consent has to be given for each specific purpose. This means you should separate your terms and conditions from each specific consent.
Consent may cover different operations as long as these operations serve the same purpose. In any other situation, you have to provide a separate opt-in for each purpose.
In order to comply with the element of specific, you must apply granularity in consent requests and a clear separation of information related to obtaining consent from information about other matters.
3. CONSENT HAS TO BE INFORMED
Informed consent entails that the data subjects are informed about what they are agreeing to before you collect their consent.
Disclose the identity of the controller and purpose of the processing along with all necessary information of the processing activity in clear and plain language so it is easily understandable and individuals are familiar with the significance of their consent.
4. CONSENT HAS TO BE UNAMBIGUOUS
Consent should be given by a clear affirmative action that should leave no doubt that the individual intended to give consent.
This means that valid consent requires action from an individual, including ticking the consent box, signing a statement, or giving your consent verbally. Silence, pre-ticked boxes, or inactivity do not constitute as consent.
What is explicit consent?
Explicit consent is required in situations where there is a potentially serious data protection risk, and the situation requires a higher level of control over processing personal data.
You will have to obtain explicit consent when processing sensitive personal data, transferring data to third countries or international organizations without appropriate safeguards, and for automated individual decision-making, including profiling.
The main difference between consent and explicit consent is in the form or way they are given or expressed by the data subject. The data subject can give consent either by a statement or by clear affirmative action. When consent is given by a statement, it is considered to be explicit.
Additional requirements for valid GDPR consent
As a controller, you are obligated to demonstrate valid consent. This means you are obligated to document and manage collected consent and keep records of consent.
Since managing consents manually has proven to be an almost impossible task, in the long run, automation proves to be the only GDPR-compliant way to manage consents.
A consent Management Platform (CMP), such as the DPM Consent and Preference management module, helps you collect and handle personal information in a GDPR-compliant way, enabling you to track, monitor, and respond to the data subject’s request and consents preferences and demonstrate compliance.