This article was written by Stefania Lucchetti(Partner),Pietro Boccaccini(Associate).
EU companies – and non-EU companies offering goods or services to EU citizens – which process personal data need to comply with the provisions introduced by the European Regulation 2016/279 (General Data Protection Regulation – “GDPR”) in this respect. Consent of the data subject is a legal basis for data processing but not the only one, and companies will therefore need to carefully evaluate which is the most appropriate legal basis in relation to a certain processing activity.
This note focuses on consent, and in particular consent requirements as set forth by the GDPR which are numerous.
A key business issue for companies whose data base is a valuable business asset is whether consent to process data obtained before the GDPR became applicable is still a valid ground to process data eg for marketing purposes. This note will address this issue as well.
Consent as a legal basis for data processing
The GDPR has introduced new requirements in relation to one of the most used basis for lawfully processing personal data: data subject’s consent.
It shall be preliminary noted that, pursuant to Article 6 of the GDPR, processing of personal data is lawful not only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes but also in the event that processing is necessary:
- for the performance of a contract to which the data subject is party;
- for compliance with a legal obligation to which the controller is subject;
- in order to protect the vital interests of the data subject;
- for the performance of a task carried out in the public interest;
- for the purposes of the legitimate interests pursued by the controller.
Before starting any activity that involve processing of personal data, a controller must consider what would be the appropriate lawful ground for the envisaged processing. In general, consent can be an appropriate lawful basis if a data subject is offered the possibility to freely accept or refuse the terms offered.
Consent obtained before GDPR became applicable
According to Recital 171 of the GDPR “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.
In the light of the above, in the event that a company, prior to 25 May 2018 (the date in which the GDPR became applicable), obtained the consent of certain data subjects as requested by the GDPR, it can continue to lawfully process personal data of those data subject. Should that not be the case, the company will need to obtain new consent.
If not obtained in full compliance with the GDPR, consent is an invalid basis for processing, rendering the processing activity unlawful. If, for instance, a company collected only one consent for different processing operations (which is quite common, in practice), this would not be in line with the “granularity” requirement (see paragraph below on this topic).
As it has been outlined by Article 29 Working Party, the consent given before the GDPR became applicable by implied form of action is no longer valid, given that the GDPR requires that the consent is given through a “statement or a clear affirmative action” by the data subject. Therefore, for example, consent obtained with a pre-ticked opt-in box would not be valid.
In order to be compliant with the GDPR’s standards, also operations and IT systems may need revision. For instance, mechanisms for data subjects to easily withdraw their consent must now always be available. If existing procedures for managing the obtainment and withdrawal of consent do not meet the GDPR’s standards, controllers will need to refresh their procedures.
In any event, obtaining consent does not diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially with regard to fairness, necessity and proportionality, as well as data quality.
Herein below are the main requirements of consent set forth by the GDPR that companies will need to carefully examine in order to evaluate if existing consents (if any) need to be refreshed.
Consent must be given by a clear affirmative act establishing a:
- freely given;
- informed; and
- unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.
Where processing is based on consent, the controller must always be able to demonstrate that the data subject has consented to data processing.
Consent should not be considered as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment (withdrawing consent, for instance, must not lead to any costs for the data subject). Consent would not be considered freely given in the event that a certain service required by the subject is subject, for instance, to the subject’s consent to receive direct marketing.
It is interesting to note that in certain relationships that cannot be considered perfectly balanced, like the one between the employer and the employee, it is unlikely that the consent requested to the weakest party will be freely given. In this particular case it is advisable to make recourse to other legal basis for the processing (e.g. the performance of the employment contract and compliance with employer’s legal and fiscal obligations).
For consent to be informed, the data subject should be aware of：
- the identity of the controller;
- the purposes of the processing for which the personal data are intended;
- what type of data will be collected and used;
- the existence of the right to withdraw consent;
- information about the use of the data for automated decision-making (if relevant);
- the possible risks of data transfers outside the EU due to absence of an adequacy decision and of appropriate safeguards.
In addition, consent must have a further requirement – i.e. it must be explicit – in the event a data controller is willing:
- to process special categories of personal data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, etc.); or
- to process personal data for profiling purposes.
The consent, in order to be explicit, must be in written form, including by electronic means, for instance by filling in an electronic form, by sending an email or by using an electronic signature. The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject cannot be considered as an indication of choice.
Another specific requirement related to consent introduced by the GDPR is that in relation to the offer of information society services to children below the age of 16 years, the consent of the holder parental responsibility over the child must be given. EU Member States may provide by law for a lower age, provided that such lower age is not below 13 years.
In the event that consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented using a clear and plain language (meaning that it should be easily understandable for the average person and not only for lawyers) and in a manner which is:
- clearly distinguishable from the other matters; and
- in an intelligible and easily accessible form.
Data subjects have the right to withdraw their consent at any time and data controller must inform them of that. Withdrawing consent must be as easy as giving consent (e.g. clicking a box online). The withdrawal of consent, in any event, does not affect the lawfulness of processing based on consent before its withdrawal.
It shall be noted that the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively make recourse to the legitimate interest basis in order to justify processing, in case consent is not valid anymore. A data controller must decide before starting data collection what is the applicable lawful basis and must disclose it to the data subject at the time of collection.
Granularity of consent
Recital 43 of the GDPR states that separate consent for different processing operations will be needed wherever appropriate. Mechanisms to collect consent must be granular to satisfy, in particular, two requirements: “free” and “specific”. Granularity of consent means, in few words, that it must be clear to the data subjects what they are consenting to: they must have a choice and be in control of what they choose to receive from data controller. Bundling up consent to various activities into one tick box is not acceptable.
Although the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (recital 47 of the GDPR) – in particular in presence of a contractual relation between data controller and data subject – in most cases a data controller who intends to process personal data for marketing purposes will need to obtain a specific consent from the data subjects.
A controller that seeks consent for various different purposes should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.
For instance, specific and separate consent should be requested from data subject for:
- data controller processing personal data for sending newsletters and commercial communications with the purpose of direct marketing (via email, sms, mms, fax, mail, phone, etc.);
- data controller processing personal data with the purpose of profiling data subject and sending personalized offers;
- data controller transferring personal data of the data subject to third parties for having them sending newsletters and commercial communications with the purpose of direct marketing;
- data controller transferring personal data of the data subject to thirdparties for having them profiling data subject and sending personalized offers.
Pursuant to Article 21 of the GDPR, where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the event that the data subject objects to processing for direct marketing purposes, the data controller must no longer process personal data for such purposes.
One of the consequences of basing the processing on consent is – among others - that the data subject acquires the right to data portability set forth by Article 20 of the GDPR, that is to say the right to receive his/her personal data provided to the controller in a structured, commonly used and machine-readable format.
At data subject’s discretion, where technically feasible, the data controller who originally collected personal data would have to transmit the data directly to another controller.
Needless to say, the exercise of this right may significantly impact the business of a company based on the commercial use of its customers’ data.
Milan, 17 July 2018
This note is for information purposes only and it is not to be intended as legal advice. For any further information or to receive advice tailored to your situation, please contact us.
The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Guidelines on Consent under Regulation 2016/679 adopted on 28 November 2017, page 30. Article 29 Working Party was the advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it has been replaced by the European Data Protection Board (EDPB).
As precised by Article 29 Working Party – Guidelines on Consent.
For example, a data controller sends e-mail communications to existing clients in order to promote the data controller's own or similar products or services (see Opinion 15/2011 of Article 29 Working Party on the definition of consent).