GDPR Learning Hub

login/sign up
Menu
{{ search }}
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Consent is one of the legal bases of the GDPR

Article 6(1)(a) of the GDPR

theme_placeholder

Information about consent as legal basis

Consent is one of the six legal bases of the GDPR

Consent is one of the legal bases of the GDPR that companies can use when processing personal data. Article 6(1)(a) of the General Data Protection Regulation (GDPR) states this legal basis. However, it is not a requirement to obtain consent in order to process personal data. In fact, it is not even always appropriate or permissible to conduct the processing of personal data based on consent.

The data subject can give consent to a personal data processing verbally or in writing. However, since the GDPR requires companies to demonstrate that they comply with the regulation, it is better to obtain written consent. They are also easier to prove.

Requirements for valid consents under the GDPR

Consent is one of the legal bases of the GDPR that a company may use to process personal data. In order for consents to be valid according to the GDPR, they must meet the following criterion:

 

●  Conscious consent

In order for a consent to be conscious, the company must inform the data subjects about the processing. The purpose is for the data subjects to be aware of details about the processing. Such as what categories of personal data the company will process, what the purpose of the processing is.

 

It is also important to inform the data subjects about how they can withdraw their given consent. Please note that withdrawal of consent should be free of charge. In addition, it should be as easy to revoke it as it was to give consent.

 

●  Voluntary consent

Furthermore, consents must be voluntary and given without external influence. When there is an unequal power relationship and the data subject is the weaker party, the data subject is not considered to be able to give volutary consent.

 

For example, in the relationship between an employer and an employee, or an authority and citizens. In such cases, the employer shall not use consent as a legal basis for processing the personal data of the data subject. This is because the data subject may not dare to deny consent due to fear of losing his or her employment or other consequence, as he or she is in a weaker position of power. Therefore, the legal basis of performance of a contract with the data subject may be more appropriate to use.

 

●  Active consent

In addition, the data subject must give the consent actively. An active consent means that the data subject gives an unambiguous indication of his or her wishes.

 

For example, by actively ticking a box for consent to a specific specified processing of personal data. If the box is already ticked, the data subject has not given active consent. Therefore such consent is not valid. The data subject cannot be regarded as having consented to anything by inaction. Rather, it requires an active action from the data subject. Not a passive action.

 

The fact that the data subject does not say “no,” does not mean a “yes” to a processing operation. The data subject must actively consent to a personal data processing, in order for the consent to be valid. 

Consent must therefore be conscious, voluntary and actively submitted in order to be valid under the GDPR.

“Consent or pay models” on online services often do not meet the requirements for valid consent

The European Data Protection Board (EDPB) noted that “Consent or pay models” on online services, such as social media, often do not meet the requirements for valid consent under the GDPR. This is on the understanding that users will only be given the choice between two alternatives. The two alternatives are often:

1) the user consents to the processing of their personal data for the purpose of targeted marketing; or

2) the user shall pay for their personal data not to be used for such marketing.

 

According to the EDPB, online platforms should also offer a free-of-charge possibility to refuse targeted marketing. This is because many users want to avoid payment. For this reason, they tend to choose to consent to targeted marketing. This is made without the data subject really understanding how their personal data is processed in such cases.

Information to be provided to data subjects when giving their consent

Consent is one of the legal bases of the GDPR that a company may use to process personal data. In connection with an individual’s consent to the processing of his or her personal data, certain information about the processing must be stated. This is a requirement for consent to be conscious. Among other things, the following information shall be provided to the data subject:

 

  • The person or persons responsible (controllers, processors and data protection officers).
  • The purpose of the processing of the personal data.
  • What categories of personal data the company will process based on the consent.
  • How the data subject can withdraw the consent given.
  • If the company uses the personal data for automated individual decisions and profiling.
  • If the company transfers the personal data to a third country (i.e. a country outside the EU/EEA area) and what risks it entails.

 

In some cases, companies need to obtain explicit consent

The requirement for explicit consent means that the data subject must clearly express his or her consent. For example, through a signature, electronic signature or multi-step certification. This can be done, for example, by the data subject actively responding to an email and then receiving a code per SMS to be activated in order for the consent to be given. The more sensitive personal data a company processes, the greater the obligations the company has.

 

Explicit consent may be required if the company will:

  • Process sensitive personal data, such as data concerning health or religious belief.
  • Transfer personal data to a third country.
  • Perform profiling or automatically individual decisions.

Unequal power relationships

In most cases, where there is an unequal power relationship between the controller and the data subject, where the controller holds the stronger position of power.

 

For example, when an employer processes the personal data of an employee. In such cases, it is more appropriate to use contract as the legal basis for the processing of personal data necessary for the performance of the employment contract.

 

There are other legal bases under article 6 of the GDPR. Consent is only one of the six legal bases of the GDPR that a company may use for personal data processing. It is important that the company analyzes which legal basis to use before starting the processing.

Consent from children

Children may, in som cases, lawfully give their consent to the processing of their personal data. For example, in the case of information society services, such as social media. According to the GDPR, the age limit in these cases is 16 years. If the child is under the age of 16, the guardian must give their consent. However, every country has the right to lower its age, as several countries have done. Finland and Sweden have lowered the age to 13 years.

 

In Italy, a girl of 10 years had managed to create multiple user accounts without the consent of the guardian on a known social media platform. This is in breach of applicable laws. The girl later died, which led the Italian Data Protection Authority to start an investigation against the company and later also against other social media.

 

Please note that the requirements are higher when companies process personal data of children. For example, the company should write the information about the processing in simple and easy-to-understand language. 

 

In Holland, an international company, which runs a mobile application with many children as users, had informed about the processing of personnel data in English, which was not the national language. Therefore, the company had to pay a fine. It is important that children understand the information about the processing of their personal data.

More information about the legal and lawful bases of the GDPR

Legitimate interest pursuant to Article 6(1)(f) of the GDPR

Another legal basis for the processing of personal data is “Legitimate interest”. A company may consider that their interest is higher and that the fundamental freedoms and rights and interests of the data subject do not override and require the protection of personal data. In order to reach this conclusion, the company must carry out a Legitimate Interest Assessment (LIA). Examples of when companies may have a legitimate interest are to prevent fraud, or carry out direct marketing by email to previous customers.

Want to learn more?

Read more

Solverwp- WordPress Theme and Plugin

Scroll to Top