There is certain specific information to be provided when obtaining consent from a person. The information shall be provided before the company process their personal data. Companies must, among other things, inform about the purpose of the processing of personal data. The company shall provide the information when they obtain the consent from the data subject. The requirements are stated in Article 7 and Article 13-14 of the General Data Protection Regulation (EU) 2016/679 (GDPR).
The company shall not process more personal data than what is necessary, in regards to the purpose which the personal data was collected for. Furthermore, a purpose must not be unclear or non-specific. In some cases, the Company may wish to use the personal data for other purposes in the future. In such cases, the company shall request a new consent for the new processing.
A company must comply with the principle of accountability regulated in Article 5(2) of the GDPR. This principle requires the company to demonstrate its compliance with the data protection regulation and explain the methods it uses to achieve the compliance.
Therefore, the company should not process personal data on the basis of oral consent, as they are difficult to prove afterwards. Where a company obtains oral consent, the company should also ensure to obtain a written consent to the processing in order to preserve it as evidence. Also, there are some situations when a company should not use consent as a legal basis. For example, when there is an unequal power relationship between the controller and the data subject, where the controller has the stronger position.
Certain information must be provided by the controller when obtaining consent from data subjects
The information to be provided by the controller when obtaining consent is at least the following:
● Who: The identification of the personal data controller. And where applicable, the personal data processor and the data protection officer. If there are several controllers or joint controllers, this shall also be stated in the information;
● Purpose: The purpose of the processing of personal data to which the consent relates;
● What: The types of personal data that the company processes on the basis of consent as the legal basis for the processing. For example, name, social security number and e-mail address are three types of personal data. These fall into the category of “ordinary personal data”. They are not “special categories of personal data” under Article 9 of the GDPR.
● Withdrawal: The data subject has the right to withdraw their consent at any time. In addition, the data subject must obtain information from the company about hos they should proceed in practice in such cases. For example, if they have to send the withdrawal to a specific email address, click on a specific button or similar.
● Automated individual decision-making: Whether the personal data will be used to make any kind of automated individual decisions. This applies both with or without profiling. If this will happen, the company must also inform that the data subject has the right to contest the automated decision in question.
● Third country: If the company will transfer personal data to third countries. A third country is a country outside the EU/EEA area. The information shall also state what risks such transfer entails. Please note that the data subject needs to give their explicit consent in such cases.
Separate consent from other information
Remember to separate the information that the company provides to the data subjects when they obtain consent from other information. For example, the general terms and conditions of the company. In addition, a company may want to process personal data on the basis of consent for different purposes. In such cases, the company shall provide the opportunity for the data subject to be able to give their consent specifically for each purpose.
Be extra clear when the data subjects are children
If a company obtains consent from a child, the rules are stricter. For example, the company must inform the child by using simple language. This is important, so that the child understand the meaning of the information provided. In addition, the company should avoid using long sentences or too much and complex information, as it can be more difficult for children to understand.
Also, the information shall be provided in the language of the national country. If a mobile application in Finland has children as its users, the information on the processing of the children’s personal data should be in Finnish. A company that runs a mobile application with many children as users from different countries had to pay a penalty fee in the Netherlands. The reason was that the information for the registered children was in English instead of Dutch.
Information to be documented by companies in relation to consents obtained from data subjects:
● How: How the company obtained the consent of the data subject;
● When: When the company obtained the consent of the data subject;
● Which: What information the data subject obtained from the company when the data subject gave the consent.