The multiple consent requests all over the internet lead to the stereotypical thinking that the only way to legally collect somebody’s personal data is by getting this person’s consent.
Wrong. In the majority of cases we actually do not need consent. Choosing to rely on it when there are better and easier alternatives is simply not worth the effort.
If not through consent, then how to justify processing personal data?
Consent is just one of many grounds for data processing – GDPR offers us several other options, such as justifying data processing with the fact that we need it in order to fulfil our contractual obligations (e.g. delivery of goods/services), or in order to fulfil certain legal obligation (e.g. any case of mandatory data transfer to a state authority). Here is the full list of alternative legal grounds for data processing:
- A contract with an individual: when personal data is necessary for the performance of a contract, this is all you need.
- Legal requirement: when you need to process personal data in order to comply with the law.
- Vital interests: for example, when this can protect someone’s integrity.
- A public task: this will typically cover any public authority.
- Legitimate interest: if your organization is a private-sector one then you might have a genuine and legitimate reason to process personal data.
We always recommend our clients to view consent as “last resort” legal basis for data processing. So take a closer look at the list above – if there is really no other legal ground that applies in your case, then you will have no other choice, but to obtain consent for data processing.
As simple as it may sound, consent does not come down to getting a simple yes from the people whose personal information you collect. Consent should be obtained in compliance with certain strict requirements and you should not only adhere to these requirements, but you should create and store evidence in this regard.
What are the requirements for obtaining valid consent under GDPR
Consent under GDPR is any freely given, specific, informed and unambiguous indication which signifies agreement to the processing of personal data.
- Freely given – This means people have real choice and control over your personal data.
- Specific – People are allowed to give specific consent for specific purposes.
- Informed – This means people are able to make informed decisions, understand what they are agreeing to. Clear and easy language must be used especially when your child is concerned!
- Unambiguous indication – People are able to validly perform “a clear affirmative act” to consent, for example by actively ticking the optional box stating, “I consent”.
Make sure you can proof your compliance in case of inspection by the supervisory authority
There are a few things that you must always keep in mind:
- It’s compulsory to keep records, in order to demonstrate what the individual has consented to, including what they were told, and when and how they consented. As you may have already discovered, keeping strict records may be hard, but do not neglect its importance.
- You should separate consent requests from other terms and conditions. By no means should consent be a precondition of signing up to a service, unless the respective personal data is absolutely necessary for that service.
- You have to make sure that people have the right to withdraw their consent as easy as they have given it and at any time (e.g. through only one mouse-click, swipe, or keystroke and of course without any costs for them).
Keep in mind that this article is for general information only and if you need further assistance for a particular case or problem, you should contact a legal specialist.
This publication is written in the context of EU legislation, effective on July 1st, 2018.Please note that future amendments in the relevant legislative acts, court decisions or opinions of official authorities or other sources of legal obligations, which became effective after the quoted date, may affect the accuracy of the information above. This is one-time publication and Prosperamo is not responsible to keep it up-to-date. For more information – please read the following disclaimer.
Sharing is caring!