Newsflash
Data protection and privacy

Consent is one of six lawful bases in the GDPR under which personal data can be processed. On 28 November 2017, the so-called Article 29 Working Party (“WP29”), an advisory and consultation body of European Data Protection Supervisors, adopted guidelines (WP 259) on the notion of “consent”.

As discussed in a previous Newsflash, the GDPR has tightened the conditions concerning the notion of “consent”. The GDPR defines consent as any (i) freely given, (ii) specific, (iii) informed and (iv) unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. In its guidelines,[IV|C&E1]  the WP29 provides more explanation of what these four validity conditions exactly mean and states that, in order to be valid, the consent must be:

  • freely given: this implies real choice and some measure of control on the data processing for data subjects. Consent will not be valid in case of an imbalance of power between the controller and the data subject – which occurs in the employment context – or if the consent is given in exchange for the performance of a contract. When the processing has multiple purposes, consent must also be given for each purpose. Finally, the data subject must be able to refuse or withdraw consent without being disadvantaged as a consequence.
     
  • specific: according to the WP29, to be specific, the controller must (i) explain the purpose of the processing, (ii) request specific consent for any processing with multiple purposes, and (iii) clearly separate information related to obtaining consent for data processing activities from information about other matters.
     
  • informed: for consent to be informed, the WP29 is of the opinion that at least the following information is required:
    •  the controller’s identity;
    • the purpose of each of the processing operations for which consent is sought;
    • what (type of) data will be collected and used;
    • the existence of the right to withdraw consent;
    • information about the use of the data for decisions based solely on automated processing;
    • possible risks of data transfers to third countries outside the EU.
       
  • Unambiguous indication of wishes: consent must be given by a clear affirmative action or a statement that clearly indicates the consent, such as a signature on a form or a click on a screen. The use of pre-ticked opt-in boxes or implicit agreements are no longer possible.

The WP29 also states that it is up to the controller to prove that a valid consent was obtained from the data subject. The controller must be able to prove when the consent was obtained and which information was given to the data subject. 

The WP29 emphasises that the data subject has always the opportunity to withdraw his or her consent. The controller must ensure that consent can be withdrawn by the data subject as easily as giving consent. For example, if the consent is obtained via electronic means through only one mouse click, data subjects must be able to withdraw that consent equally as easily.

What is explicit consent?

The WP29 then examines on the notion of “explicit consent”. The GDPR prescribes that in certain situations (e.g. sensitive categories of personal data such as data relating to health, data revealing the racial origin) consent must be explicit. The WP29 advises that the data subject must give an express statement of consent, for example by a written statement, a completed electronic form or an e-mail.

Specific areas of concern

The WP29 identifies two specific areas of concern in the GDPR:

  • children: the GDPR provides that with regard to the directly offered online services, a child can lawfully give his or her consent where the child is at least 16 years (except for Member States that provided a lower age by law). If the child is younger than 16 years old, consent must be given by a holder of parental responsibility. According to the WP29, controllers must make reasonable efforts to find out the age of the child and to use appropriate language.
     
  • scientific research: the GDPR provides exceptionally for scientific research that the purpose of data processing can be defined more generally. The WP29 suggests in its advice that this exception should be interpreted strictly especially when it concerns sensitive data.

 Consent obtained before the GDPR

Consent which has been obtained before the entry into force of the GDRP will only remain valid – according to the WP29 – in so far as it is in line with the conditions laid down in the GDPR.

The WP29 advises the controllers – if the consent is no longer valid at the point at which the GDPR enters into force – to obtain fresh GDPR‑compliant consent or to base the data processing on a different legal ground.

In this context, we point out that for several processing activities other legal grounds are possible to process personal data and consent is not necessary. The most useful legal grounds are:

  • the necessity for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (e.g., employment contract);
  • the necessity for compliance with a legal obligation (e.g. social law, accounting law);
  • the necessity for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.