Data Privacy

Consent Under GDPR: Key Aspects

Posted on by Adv S K Sharma
03
Aug

Definition of Consent

According to GDPR, consent is defined as:

“Freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them.”

This definition highlights that consent must meet specific criteria to be valid.

Criteria for Valid Consent

Freely Given

  • Voluntary: Consent must be given voluntarily, meaning the individual has a genuine choice and is not pressured into giving consent.
  • No Penalty for Refusal: The individual should not face any detriment or penalty for choosing not to consent.

Specific

  • Clear Purpose: Consent must be given for a specific purpose or purposes. Broad or vague consent (e.g., “for any purpose”) is not considered valid.
  • Granular Consent: Where processing involves different purposes, individuals should be able to consent separately to each purpose.

Informed

  • Detailed Information: Individuals must be provided with clear and concise information about what their data will be used for, who will process it, and their rights related to the data.
  • Understanding: The information must be easy to understand, allowing individuals to make an informed decision.

Unambiguous

  • Clear Affirmative Action: Consent must be given through a clear affirmative action, such as ticking a box, clicking a button, or signing a document. Passive actions (e.g., failing to opt out) or inactivity do not constitute valid consent.
  • No Pre-ticked Boxes: Pre-ticked boxes or inactivity cannot be used to infer consent.

Requirements for Obtaining Consent

Written Record

  • Documentation: Organizations must be able to demonstrate that consent has been obtained. This means keeping a record of the consent process, including the information provided to individuals and the manner in which consent was obtained.

Separate from Other Agreements

  • Not Bundled: Consent should be requested separately from other agreements or terms. For example, consent for marketing should not be bundled with consent for general terms and conditions.

Easy to Withdraw

  • Withdrawal Mechanism: Individuals must be able to withdraw their consent as easily as they gave it. The process for withdrawing consent should be clear and straightforward.
  • Impact of Withdrawal: The withdrawal of consent should not affect the lawfulness of processing based on consent before its withdrawal.

Special Considerations

Consent for Children

  • Age Requirements: For data subjects under 16 years of age, consent must be obtained from a parent or guardian. Member States can set a lower age limit, but not below 13 years.

Sensitive Data

  • Explicit Consent: For processing special categories of personal data (e.g., health data, racial or ethnic origin), GDPR requires explicit consent. This means a clear and specific consent for the processing of such sensitive data.

Examples of Consent Practices

Online Forms

  • Checkboxes: Using unchecked boxes for individuals to actively opt-in to receive newsletters or marketing communications.
  • Clear Statements: Providing specific information about what the consent covers and how the data will be used.

Mobile Apps

  • Permissions: Requesting specific permissions for accessing data (e.g., location, contacts) with a clear explanation of why the data is needed.

Customer Service

  • Consent Records: Obtaining and documenting consent during customer interactions, ensuring individuals are informed about data processing practices.

Implications of Non-Compliance

Regulatory Penalties

  • Fines: Organizations that fail to obtain valid consent or mishandle consent-related processes may face significant fines and regulatory penalties under GDPR.

Reputational Damage

  • Trust Issues: Non-compliance can erode customer trust and damage an organization’s reputation.

Conclusion

Consent under GDPR is a rigorous standard designed to protect individuals’ rights and ensure they have control over their personal data. Organizations must ensure that consent is freely given, specific, informed, and unambiguous, and they must be able to demonstrate compliance with these requirements. By adhering to these principles, businesses can ensure lawful processing of personal data and build trust with their users.

Adv S K Sharma

Disclaimer

Local rules prevent law firms from directly advertising or soliciting work. By accessing this website, you acknowledge that you are seeking information about our services on your own. The content here is for informational purposes only and is not a legal advice. Legal Brix is not responsible for any actions you take based on the information on this site. We recommend consulting separately for personalized legal guidance. For more information about how we handle your data and the terms governing your use of this site, please visit our Privacy Notice and Terms of Use.

Accept

Call Now Button