GDPR: WP29 on consents
Consent with personal data processing is defined in Article 4 (11) of the GDPR: „Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.“ It means the consent can be considered given validly if these basic elements are present: freely given, specific, informed and unambiguous. WP29 commented on these elements as follows. WP29 also expressed its opinion on consents to be given in an electronic form.
Data subjects must be provided with a chance to make a real choice, to take an actual decision and to have control over the consent once given, otherwise the consent cannot be considered valid. If one type of services requires that data are processed for multiple purposes, it is always necessary to seek the consent for each individual operation separately. „General“ consent intended to cover several purposes will not be valid. It is not permissible to exchange personal data processing as a consideration for performance of a contract. If a data subject decides to refuse to give consent, it may not result in any harm for the data subject. The controller must be able to prove that it enables data subjects to recall their consent without any negative consequences for the data subject. Special circumstances apply in situations in which the subjects are in clearly defined supervisory or subordinate positions. Processing by public authorities or by employers should not be based on consent, but on more appropriate statutory reasons for data processing.
The requirement for the consent to be specific shall guarantee that data processing is transparent and that data subjects retain control over it. This requirement is met when the intended purposes of data processing are specifically defined, consent is given for each individual operation separately and information concerning consent is clearly separated from other information. Prior to the consent being granted, a clear and legitimate definition of the intended purpose of data processing shall be expressly announced to the respective data subjects. A controller’s request seeking data subjects’ consent with processing for different purposes should provide separate response options for each individual purpose.
The consent must be informed. In practice, there are several requirements which need to be met so that the consent can be considered informed. Information on the following points must be provided:
the controller’s identity,
purpose of each of the processing operations for which the consent is sought,
types of data to be collected and used,
information on the right of data subjects to recall their consent,
information on automatic profiling, and,
if applicable, information on transfer of personal data.
Obtaining the above information shall not be in any way difficult for the data subject and the information shall be provided in a clear, understandable and, if possible, concise form. Failure to provide the above information or provision of incomplete or inaccurate information will result in the consent being invalid.
The conduct of the data subject must clearly indicate that the consent is being granted. Consent must be express as implied consent is not sufficient. It must also be clear from the actions of the data subject to which specific purpose of data processing the consent relates.
Specific form of consent – consent given electronically
In the event the consent with processing is given electronically, it should burden the data subject as little as possible. Considering that many digital services require personal data processing in order to function, there are concerns that constant granting of consent might lead to a certain degree of a „click fatigue“, which means that users (potential data subjects) will give their consent instinctively without even briefly reviewing the conditions. A possible solution is to obtain the consent by an action permitted by the setting of the browser. Swiping a finger over the display, tilting the phone or making another move or gesture may serve as examples of such solutions. Such consent will however only be valid if the data subjects have been informed that by making the respective gesture they give their consent with personal data processing and that all requirements of valid consent have been met.
It is necessary to note that WP29 guidelines are mere recommendations and that the real effects of the GDPR, possible issues and their solution will gradually develop as the GDPR starts being applied.