29WP Guidelines on Consent under the GDPR

Recently, on the 10th April 2018, the 29 WP has published a Guidance tool on consent under GDPR. It’s no new that the concept of consent as used in the Data Protection Directive has evolved. The GDPR provides additional requirements for obtaining and demonstrating a valid consent and these Guidelines are considered a practical guidance to ensure compliance with the GDPR.

Important to note is that there is a real obligation on controllers to innovate and to find new solutions to better support the protection of personal data and the interests of data subjects.

Consent remains one of six lawful bases to process personal data, however it can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice, otherwise the data subject’s consent will be invalid, rendering the processing activity unlawful. But obtaining consent does not diminish the controller’s obligations to observe the principles of processing such as fairness, necessity and proportionality, as well as data quality.

As per the GDPR, consent must be freely given, specific, informed and an unambiguous indication of the data subject's wishes. To understand whether or not GDPR wording requires controllers to change their consent forms, an analysis to the current consent shall be performed.

For example on the employment context, 29WP considers there’s an imbalance of power given the dependency that results from the employer/employee relationship, so it might be problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. This does not mean that employers can never rely on consent as a lawful basis for processing, there may be situations when it is possible for the employer to demonstrate that consent actually is freely given, as for example, when it will have no adverse consequences whether or not they give consent, but this should be limited to exceptional cases. Although this is not a new requirement, probably a lot of controllers will need to address their processing activities on the employment context due to such clarification.

Another very important aspect is that the GDPR reinforces the requirement that consent must be informed. The requirement for transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness and the consequence of not complying with these requirements for informed consent is that consent will be invalid and the controller may be in breach of Article 6 of the GDPR, which in other words can result in the application of administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher as per Article 83.

For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice, such as: (i) the controller’s identity, (ii) the purpose of each of the processing operations for which consent is sought, (iii) what (type of) data will be collected and used, (iv) the existence of the right to withdraw consent, (v) information about the use of the data for automated decision-making and (vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards.

A controller that relies on consent of the data subject must also deal with the separate information duties laid down in Articles 13 and 14 in order to be compliant with the GDPR. In practice, compliance with the information duties and compliance with the requirement of informed consent may lead to an integrated approach in many cases. However, this section is written in the understanding that valid “informed” consent can exist, even when not all elements of Articles 13 and/or 14 are mentioned in the process of obtaining consent (these points should of course be mentioned in other places, such as the privacy notice of a company).

One of the ideas behind the clarification of the 29WP is that for example, if the data controller does not identify in the consent form, the details of the DPO, although this is considered to be information to be provided to the data subjects at the time when personal data are obtained, it will not result in an invalid consent meaning that controller would not be considered to be in breach of Article 6 of the GDPR, however a breach of Article 13 would have the same consequences, so in any case, whether it is through the consent form or privacy policy/notices of the company, information must always be provided, which, at the end of the day, will most likely lead to an amendment of such documents.

Another important aspect is that now, with the GDPR, a valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action, so blanket acceptance of general terms and conditions are not accepted as are not pre-ticked boxes or opt-out constructions.

The GDPR introduces requirements for controllers to make additional arrangements to ensure they obtain, and maintain and are able to demonstrate, valid consent. Article 7 of the GDPR sets out these additional conditions for valid consent, with specific provisions on keeping records of consent and the right to easily withdraw consent, so for example regarding consent proof, it is advisable controllers to have a signed written statement by the data subject, in order to remove all possible doubt and potential lack of evidence in the future. This does not exclude the possibility of explicit oral consent, though controller shall guarantee information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).

Regarding consent withdrawal, the requirement of an easy withdrawal is described as a necessary aspect of valid consent in the GDPR. If the withdrawal right does not meet the GDPR requirements, then the consent mechanism of the controller does not comply with the GDPR. To note that if consent is withdrawn, all data processing operations that were based on consent and took place before the withdrawal of consent - and in accordance with the GDPR - remain lawful, however, the controller must stop the processing actions concerned and if there is no other lawful basis justifying the processing, data shall be deleted.

In this regard, it is important to note that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent. In other words, the 29WP clarifies that the controller cannot swap from consent to other lawful bases and it is not allowed to retrospectively utilize the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent, mainly because of the requirement to disclose the lawful basis at the time of collection of personal data.

The Guidelines provide also relevant information on child consent as well as on consent and other lawful ways for processing under clinical and scientific research and highlights the need for safeguards in data processing activities for scientific purposes, such as data minimization, anonymization and data security.

To conclude, Guidelines also clarify the need for re-consent under the applicable Regulation and determine that in some cases, controllers are not automatically required to completely refresh all existing consent relations as long as consent which has been obtained to date, continues to be valid in so far as it is in line with the conditions laid down in the GDPR.

To the extent that information obligations under Articles 13 and 14 do not necessarily oppose to the continuity of consent, which has been granted before the GDPR enters into force, this does not mean that such information shall not be provided, so if a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then it must undertake action to comply with these standards, even when it is not possible to renew consent. This means that in order to observe the principles of lawful, fair and transparent processing, controllers shall find a way to ensure relevant information is provided in any case.

The reading of the 29WP Guidelines is very recommendable for a full understanding of the matter, so I’m happy to provide here the direct link: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051

Regards,

DCA