In our previous blog post we discussed personal data and sensitive personal data.
We also explained what the GDPR says about the grounds on which personal data can be processed.
In this blog post we will dive deeper into this subject, focussing on the ground most focussed on in the GDPR: Consent.
Under previous privacy laws, consent was already a ground for legal processing of personal data. Under the GDPR this remains so, but more strict rules apply on consent. This means that if your company relied on consent as a means to legally process data before, you need to check if the way you obtain consent from data subjects is still compliant with the GDPR.
Review all your current contracts and general terms and conditions to make sure they comply with the GDPR. In article 7 of the GDPR, the 4 conditions for consent are explained:
– The data Controller needs to be able to demonstrate that the data subject has consented to processing of his or her personal data. Meaning you should log proof of when and how you obtained consent, from whom, and for what kind of processing.
– The request for consent shall be presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language. This means no more big patches of text, and no more small print. If different processing activities take place, then the data subject must give consent for every separate type of processing.
– For data subjects, it should be equally easy to give or withdraw consent. Meaning you should implement a process to deal with consent withdrawal requests, if your company didn’t have this already.
– Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent easily (without detriment). For example, authorities will assess if in a contract with the data subject the consent for processing activities is made conditional, whilst these activities are not necessary for the performance of the contract. Also, silence cannot be taken as consent anymore. Pre-ticked boxes, inactivity, failure to opt-out, or passive acceptance (acquiescence) are history under the GDPR.
It is important to check if the consent you received so far is in line with the rules of the GDPR. Note that it is stated in recital 171 of the GDPR that where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for data subjects to give consent again if the way that consent was given is in line with the conditions of the GDPR. Also note that for children, even more specific rules around consent are in place, which can be found in article 8 of the GDPR.
We hope you enjoyed this blog post. In our next, we will discuss the rights of data subjects.