There are different situations when a company should not use consent as a legal basis for processing personal data. There are different articles of the General Data Protection Regulation (EU) 2016/679 (GDPR) that regulates consents, such as Article 6(1)(a) and Article 7.
According to Article 6 of the GDPR, a company must have a legal basis for each individual personal data processing. Consent is one of six legal bases.
However, there is no requirement to obtain consent in order to process personal data. Since processing of personal data can be based on another legal basis rather than consent. In addition, it is in some cases inappropriate to base the processing of personal data on consent.
Two other legal bases that may be more appropriate for companies to use are the following:
– “contracts with data subjects” pursuant to Article 6(1)(b) of the GDPR; or
– “legitimate interest” pursuant to Article 6(1)(f) of the GDPR.
Examples of when a company should not use consent as a legal basis
Below are some examples of when a company should not use consent as a legal basis.
Unequal power relations between the parties invalidate consent
When there is an unequal power relationship between the controller and the data subject, where the controller has the stronger position, it is usually not allowed to use consent as a legal basis for processing the data subject’s personal data. For example, when an authority processes the personal data of a citizen.
However, it may be allowed in certain cases. For example if a municipality builds a new railway track and offers to notify residents of the ongoing work by email, if the residents consent to such communication.
Three examples of when a company should not use consent as a legal basis for processing personal data
● Employer’s processing of its employees personal data
If an employer hires a person, there is an unequal power relationship between the employer and the employee. In this situation, the employer holds the stronger power position. Therefore, the employer should not process the employee’s name and account number for salary payment on the basis of consent.
Instead, contracts with the data subject are an appropriate legal basis to use in such cases. In this case, the employment contract concluded between the employer and the employee is the contract to base the processing on. This is, since the payment of remuneration is an essential part of the performance of the contract of employment.
There are exceptions for when an employer can process the personal data of an employee on the basis of consent. But it is better to avoid consent in possible cases.
● Use of GPS in applications
If the purpose of a mobile application is to edit videos for marketing purposes, for example, the app should not process GPS for localization as it is not necessary for the purpose of editing videos. Therefore, it should not be a requirement to give consent in order to use the mobile application.
● Making the consent mandatory to provide
It should not be a compulsion to give consent in order to use a service or purchase a product, if the personal data is not necessary for it. Therefore, it cannot be a mandatory contractual term in, for example, general terms and conditions. Furthermore, it is important to know that a consent must be voluntary and actively given according to GDPR, to be valid.
The company must prove the obtained consent
Please note that companies must be able to prove that they have obtained a valid consent. Therefore, it is better to obtain written consents, instead of oral ones. In addition, it shall be possible for data subjects to withdraw their consent easily. It should not cost data subjects money to withdraw their consent.