Consent and Data Protection
Consent is one of the six lawful bases for processing personal data under the General Data Protection Regulation (‘GDPR’). There is a high standard required for obtaining, and retaining, consent under GDPR. In this blog we will explain these complex requirements, so that you know whether you are processing personal data lawfully, when relying on the legal basis of consent for data protection purposes
Consent, within GDPR is primarily governed by Article 7, and further expanded upon in Recital 32. Key to the concept of valid consent, is that it must be:
- freely given;
- informed; and
Looking at these requirements in more detail, it is perhaps the ‘freely given’ one, which is the most difficult to comply with. It is clear that this requires that there is a need for the data subject to be given a free choice. In certain relationships, such as that of employer and employee, this will be more difficult to establish.
In order to meet the second and third requirements, namely that consent is both specific and informed, the data subject will be, at a minimum, be entitled to know:
- the data controller’s identity;
- the types of personal data which will be used;
- how the personal data will be used; and
- the purpose of the processing of the personal data
In order to meet the final requirement, namely that consent is unambiguous, it is necessary that the data subject makes a statement or undertakes a clear affirmative act. This is the reason that pre-ticked consent boxes should never be relied upon to obtain legally valid consent, for example on websites.
At the time that a data subject provides his or her consent, he or she must also be advised of their right to withdraw their consent at any time, and they should also generally be reminded of this right on each occasion that a data controller contacts them. An example of this would be where a data subject has agreed to receive direct email marketing from a company. It would be prudent for a company to include an ‘unsubscribe here’ link to such marketing, or at least advise the data subject how they can withdraw their consent.
Unless certain legal exceptions can be relied upon, a data subject also needs to consent to all processing of their special personal data (Article 9).
Consent, for EU and EEA purposes, generally needs to be obtained by those aged 16 or over. By virtue of the Data Protection Act 2018, the age of consent in the UK is generally 13. However in Scotland a child aged 12 or over is generally deemed competent to provide consent for these purposes, unless the contrary is shown (s.208).
Generally, if any of the elements outlined above regarding consent are not present, this will invalidate any purported consent provided by a data subject. Most data controllers will only rely on consent where another legal basis for processing personal data is not available to them, given the complex requirements of obtaining, and retaining, valid consent.
Check where your organisation is relying upon the lawful basis of consent for the processing of personal data, and then check that it meets these requirements. You should also ensure that any third-party processor, with whom you are sharing personal data, is also compliant, and complying with these rules when acting on your behalf, such as an outsourced HR provider, a marketing company or an accountant.