Consent continues to be a lawful basis for processing personal data under the General Data Protection Regulation (679/2016/EU) ("GDPR"). However, organisations need to be aware that from 25 May 2018 obtaining a valid consent will be more onerous than under the current data protection regime. This article provides an overview of the requisite elements of a valid consent under the GDPR.
What is 'Valid Consent'?
Under the GDPR, consent of the data subject means any "freely given, specific, informed and unambiguous indication" of their agreement to the processing of their personal data. Each of these elements are examined in further detail below:
(1) In what circumstances is consent freely given?
In simple terms, consent will not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Consent is presumed not to be freely given where the performance of a contract, including the provision of a service, is dependent on the consent, despite such consent not being strictly necessary for the performance of that contract.
In order to ensure that consent is freely given, data controllers should avoid using consent as the legal basis for processing where there is a clear imbalance between the data subject and the controller.
(2) What constitutes 'specific' consent?
Similar to the provisions of the current legislative framework, in order for consent to be valid under the GDPR it must be specific. Data subjects must know the purposes of the data processing operations to which they are consenting.
In particular, where consent is provided in a written declaration, which also contains other matters, the request for consent must be clearly distinguishable from other matters in an intelligible and easily accessible form, using clear and plain language.
The GDPR further clarifies that consent should cover all processing activities carried out for the same purpose or purposes. Where the processing of data has multiple purposes, consent should be given for each of them.
(3) In what circumstances is consent informed?
For consent to be informed, the data subject should be aware at least of the identity of the data controller and the purposes of the processing for which the personal data are intended. In the cases of consent requested by electronic means, the request must be clear, concise and not unnecessarily disruptive.
In addition, prior to obtaining a valid consent, data...