The European Data Protection Board has updated its guidelines on consent to the processing of personal data. Countless articles have been written on this topic. However, in this article we will try to conceptualize consent to processing in a very practical way and with pictures! 💪
Remember that not all processing requires consent to process personal data. However, if you need to prepare one, we have prepared the basic requirements for such consent. ↗.
Or drop us a line ↗ and we will gladly prepare everything for you.
Consent to the processing of personal data is one of the legal bases on which the controller may process personal data. The controller must always give sufficient consideration to which legal basis he chooses. In addition to consent, he or she may process the data, for example, because he or she is required to do so by law, needs to perform a contract, or has a legitimate interest (other legal bases for processing). The legal grounds are listed in Article 6 of the GDPR. The term lawfulness of processing is used in the Czech Republic for the legal basis. It is up to the controller to choose the correct legal basis, no one else can do it for them.
Consent to processing should only be used where there is no other legal basis for processing. So we can borrow and slightly modify chef Jiří Babica's catchphrase: "If you don't have another legal basis, put consent in there."
However, you still need to keep in mind that personal data is used for a specific purpose. Therefore, if the data are not needed for the purpose in question, logically and using common sense, even consent to the processing of personal data is not sufficient. If, as a controller, I want to trace the exact location of an individual, I will not be able to process religious beliefs, for example, on the basis of consent. Therefore, Jirka Babica's sentence should be slightly more modified: "If you have no other legal basis and you really need the data for the purpose, then put your consent there."
Remember to also distinguish between "I agree to the processing of personal data" and, for example, "I agree to the personal data processing policy". The first example is aimed at the use of consent as a legal basis and the second at a general acquaintance with the processing process. In the latter case, it is therefore preferable to use different words, such as 'I have been informed of...'. This can be confusing for the data subject - does he or she consent to the processing, or does he or she consent and has been informed of what will happen to his or her data?
Consent to the processing of personal data should have 4 basic elements. It must be a free, specific, informed and unambiguous expression of the data subject's will.
Simply put: "No one can force me to give consent." Among other things, a situation where the provision of a service is tied to consent that is not required can be considered non-consensual:
In some cases, requiring consent to provide a service could be considered free. These are called "take it or leave it" consents. More on this topic in this article ↗.
The issue of freedom of consent is also addressed in the relationship between employees and employers. The EDBP's guidance is inclined to the view that, where consent is sought from an employee, it is very likely that the employee will not be able to decide freely whether or not to give it. He or she may fear loss of employment, harassment by the employer and other negative reactions associated with not giving consent.
However, the above does not mean that the employer cannot require employees to give consent. However, these must be situations where the employer will not force consent and where the failure to give consent will not have any negative effect on the employee. There must therefore be an alternative solution for the employee.
The EDPB described the possibility of requiring consent using the following practical example:
To ensure freedom of consent, consent must be separated for the different purposes for which it is required. A typical example would be requiring the consent of a visitor to a platform that offers price comparisons between different shops, that wants to collect email addresses for commercial communications and that wants to share data within a group of companies:
Consent to processing must always be given for specific purposes. For example, the Netlix platform may process personal data on the basis of consent in order to provide its customers with tailored offers of new films according to their viewing preferences. Later, it will decide to allow other platforms and advertising companies to display their ads on the customer's menu, based on what the customer likes to watch. This will be a new purpose and new consent will need to be obtained for this processing. Otherwise, the specificity very much coincides with the example above, where consent must be split for each purpose.
The processing of personal data should always be transparent. The controller must provide sufficient information to data subjects. The data subject should be given enough information to be able to say with confidence: 'Okay, I trust you'. The information must also be sufficiently distinguishable from other parts of the text.
According to the EDPB, each controller should provide this information in order to constitute valid consent:
But how to cram all the mandatory information to a tiny consent check-box? By layering. The first layer, with the check-box, should contain the most important information - who, why, what personal data. Next, there should be a link to the existing privacy policy, where the subject can find the details and additional information listed above. Often, the additional information is listed in the privacy policy, in which case it is important to keep the consent information sufficiently separate from the rest of the information.
Example: I consent to the use of my e-mail address by TWENTYTHOUSANDEMAILSDAILY s.r.o. to send me commercial communications regarding impact drills. For more details on processing, please click here.
In order for consent to be valid, it must be an informed active act on the part of the data subject. Simply put: "Silence does not mean consent." For example, active consent to the terms of use of an application where a provision contains consent to the processing of personal data is not sufficient. However, active and informed behaviour can be demonstrated in other ways. For example, the EDPB explicitly states that waving at the camera, swiping a dialog box on the screen, or specific movements with a mobile phone can also be considered as unambiguous expressions of intent. It follows - consent does not have to be in writing only.
Creativity knows no limits. The administrator must not forget that he must be able to prove all the above mentioned elements of consent. Check-boxes, signatures, electronic signatures, consent in a monitored audio call. These are just some of the possibilities.
The EDPB states that it is also possible to "secure" consent by two-step verification:
Information about the possible further purpose of the processing will be sent to the e-mail. If the data subject agrees to it, he or she should send a reply to the email stating "I agree.". To be on the safe side, the controller will also send the data subject a response to the consent e-mail, which will include a URL link to verify the consent given. Clicking on the link is verified and consented to.
When processing special categories of personal data (sensitive), it is also necessary to comply with one of the exceptions through which such data can be processed. The exceptions are listed in Article 9 of the GDPR. Unfortunately, Article 9 does not recognise necessity for the performance of a contract, so often you will need to obtain consent to process sensitive data even if it is necessary for the performance of a contractual relationship.
Example: The airline offers an assistance service for people with disabilities who do not have their own assistant. The customer orders this service, and the airline needs to know the customer's exact medical condition in order to target the service accurately (prepare wheelchair, assistant, etc.). However, as this is sensitive data and Article 9 does not provide for an exception for processing that would affect the performance of the contract, consent must be obtained from the customer. Without consent, the customer can use the normal airline services, but without assistance.
A special feature of consent as a legal basis is its revocability. No other legal basis simply works in this way. The data subject is free to decide at any time that he or she no longer wants personal data to be processed on the basis of consent.
The GDPR places an obligation on the controller to make it as easy to revoke as it is to obtain. So, for example, if a subject clicks on consent in an app, the app interface should also offer the option to withdraw consent. An example of what the option to withdraw consent should not look like is as follows:
Consent to the processing of personal data can be a good servant. However, it requires the right wording, a suitably chosen purpose, and well-established processes for revoking and storing the consent granted. We have attempted to describe in practical terms how consent to the processing of personal data works and what to look out for when setting it up. However, if you are not sure, please do not hesitate to contact us ↗. We always tailor-make the consent for our clients to fit their image, their way of expressing themselves and to reflect the services or products they offer.
If you are interested in the current situation with the transfer of personal data to the dp USA, read our next article ↗.