A consent must be voluntary and actively given for it to be valid under the General Data Protection Regulation (EU) 2016/679. Consent is one of the six legal bases that a company can use when processing personal data. Some people believe that consent is required to process personal data, but this is not true.
Personal data processing may take place on the basis of another legal basis pursuant to Article 6 of the GDPR. In addition, a data subject may give consent either orally or in writing. However, it is always better for the company to get the consent in writing. This is because they are easier to prove in the event of a dispute or supervision.
The following requirements must be met in order for a consent to be deemed voluntary and actively given
It must be a voluntary consent, not only actively given
For an individual to freely and voluntary give consent to a particular processing of their personal data, they must have a choice not to give consent. In other words, there should be no consequences for the data subject if consent is not provided to personal data processing.
Also, the data subject has not given a valid consent when the controller is in a stronger power position than the data subject. For example, this is the case in the relationship between employers against employees, authorities against citizens or similar.
Here are some examples of when a data subject has not given a voluntary consent according to the GDPR:
● Mandatory: if the requirement to provide consent is a mandatory part of a contract;
● Influenced: if the company or a third party has influenced the data subject to give the consent;
● Negative consequences: if it results in negative consequences for the data subject because he or she does not give consent to a particular processing of personal data.
It must also be an actively given consent, not only voluntary
According to the current provisions of the GDPR, a passive consent is not valid. In other words, the data subject must actively give his or her consent for the processing of personal data. Therefore, consent is not valid if a data subject does not actively respond to a request for consent.
Companies may not impose any requirements on the data subject in connection with the collection of his or her consent. This is referred to as “packaging” under the GDPR, and it is in most cases not allowed. In short, packaging means that the data subject must, indirectly or directly, perform a counter-performance for the service or product. Examples of a counter-performance may be to accept terms of use or other business terms. The company thus bundles the consent with other commitments. If the conditions are not necessary, this means that the consent is not voluntary. As a result, the consent is not valid according to the GDPR.
However, there are other legal bases that are more appropriate to use if processing is necessary for the use of a service or product. For example, the legal basis of contracts according to Article 6(1)(b) of the GDPR may be applicable in such situations.
More requirements for a given consent to be considered valid
The data subject shall give specific, voluntary given, informed and unambiguous consent to the processing. This is a requirement pursuant to Article 7 of the GDPR, for the consent to be valid.
● Specific consent
The company shall provide information on the purpose of the processing of personal data. Sometimes, the company may want to process the same personal data for different purposes. In these cases, the company shall give the data subject the opportunity to consent to the purposes separately. The company should not bundle different purposes for processing under the same consent, since it will result in a invalid consent.
● Voluntary consent
When a data subject is given the opportunity to give consent to a certain processing of personal data, there must be no negative consequences if he or she does not wish to give it. In other words, the person should have the opportunity to say no to the processing. And thus not give their consent to the processing of their personal data based on consent as the legal basis.
In some cases, there may be an unequal power relationship between the data subject and the controller. If this is the case, the data subject will not have given a voluntary consent according to the GDPR.
For example, there is an unequal power relationship between an employer and an employee. In such cases, the employee is in a weaker position than the employer. Therefore consent is in most cases not an appropriate legal basis to use.
● Informed consent
Companies must provide information about the processing of personal data before a person gives their consent to the processing in question. In addition, the information must be sufficient and clear. For example, the information must specify what personal data the company will process and how the data subject can withdraw the consent. The information must also state whether the company will transfer the personal data to a third country (i.e. a country outside the EU/EEA area).
● Unambiguous consent
A person cannot give consent by being silent or passive. One example of an invalid consent is if a company has a pre-ticked consent box. Another example is if a company states that they use cookies on their website if the visitor continues to browse there.
Withdrawal of a consent
The following is also very important to keep in mind. It should be as easy to withdraw the consent, as it was to give the consent. If it is too difficult for the data subject to withdraw the consent, the consent is invalid. The consent of the data subject must be both voluntary and actively given plus easily revoked. When a data subject withdraws their consent, it should also not cost them anything. The revocation of the consent shall thus be free of charge.
In addition, the company must cease the processing of the personal data that was based on the consent. However, the processing which the company had previously conducted on the basis of the consent remains valid. It just means that the processing may not continue.
Other appropriate legal basis pursuant to the GDPR
Please note that consent is not always an appropriate legal basis to use for certain types of personal data processes. Therefore, it may be useful to analyze whether there is any other legal basis that is more appropriate.