At present, there is hardly a company or а legal consultant, whose attention has not been drawn to the new rules in the field of personal data protection, which are to be applied as of May 25, 2018. Most recently, the working group for protection of personal data persons established under Article 29 of Directive 95/46 / EC publishes the long-awaited Guidelines on Consent under Regulation 2016/679 [1] within the meaning of the new Regulation № 2016/679, better known by its abbreviation GDPR.
In a series of publications and events, the team of Georgiev, Todorov and Co. Law Offices for personal data protection will explain what the new rules are, to whom they apply, how they affect the competitiveness of your business, as well as offer practical advice and solutions for the correct application of the new requirements.
The above-mentioned Guidelines for Consent are part of a series of documents – guidelines, opinions, etc., developed by the so-called Working group under Art. 29, which provide explanations and practical instructions in connection with the application of Regulation № 2016/679. The changes introduced with regard to the consent of data subjects (data subjects) are in fact one of the most significant compared to the current legal regime for the protection of personal data.
We bring to your attention a brief summary of the published Guidelines for Consent and the most important conclusions from them:
Requirements for “valid consent”
§ Freely given: there will be no valid consent if the parties are in an unequal position / in a position of dependence on each other, or if the consent is conditional on the performance of a contract between the parties. Consent should be granted for each individual operation and purpose for which personal data are processed, and the data subject should be free to choose whether to give his consent without any negative consequences for him;
§ Specific and concrete: consent must relate to the specific purpose of the processing of personal data;
§ Informed: when giving consent, the data subject should have at least the following information:
(1) the identity of the data controller;
(2) the purpose of each form of data processing;
(3) the type of personal data to be collected and processed;
(4) the possibility of withdrawing the consent;
(5) whether the data will be used for decision making based on automatic processing / profiling;
(6) whether his data will be transmitted to persons outside the EEA and information on the risks involved, if there is no decision on an adequate level of protection;
§ Clearly confirming action: consent must be given through an unambiguous act disclosing the data subject’s consent to the processing of his or her personal data; in the context of online services, this may even require the interruption of the provision of the service in order to draw the data subject’s attention to giving consent.
Significance of the “explicit consent”
The guidelines contain guidance on “explicit” consent within the meaning of the Regulation, which is obtained for the processing of special categories of data, the transfer of personal data outside the EEA or for automated individual decision-making. According to the Guidelines, in order for consent to be “explicit”, the data subject must make an explicit statement of his explicit consent, for example by means of a deliberate written declaration. In the digital world, the person concerned can make an explicit application for consent by filling in an electronic form, sending an email, uploading a scanned document or using an electronic signature.
Proof of consent
The working group states that data controllers are free to develop methods to prove that consent has been validly obtained in a way that best suits their day-to-day operations, and the Regulation itself does not explicitly prescribe the use of one method or another. However, in order to prove that consent has been validly given, the data controller must be able to prove on a case-by-case basis that a person has given his or her consent.In addition, the Guidelines state that data controllers should keep records of consent only to the extent necessary to comply with the legal obligations applicable to them or to establish, exercise or defend legal claims. The information retained should not go beyond the minimum necessary to demonstrate that valid consent has been obtained.
Consent of children
The GDPR requires parental consent regarding the processing of personal data of children under the age of 16 in the context of information society services (ex. a website or video streaming service) offered directly to children. However, the regulation again does not specify the means to be used to verify whether a consumer is a child or to obtain the consent of the child’s parents. The guidelines suggest that data controllers take a proportionate approach in assessing whether “reasonable” efforts have been made to comply with the Regulation in view of the degree of risk in each case, the interest involved and the technological solutions available.For example, the working group considers different hypotheses, in one case obtaining parental consent by e-mail may be sufficient, but stricter methods may be used for higher-risk processing, such as requiring the parent to make £ / $ / € 0.01 payment to the administrator through a bank transaction.
Other specifics of the consent
The guidelines provide an explicit answer to a question that has tortured data protection consultants for a long time: if the data controller has obtained the consent of the data subject before the new rules enter into force, it is necessary to seek consent again. The answer is that the consent obtained before the GDPR will continue to be valid under the GDPR, provided that it meets the conditions for consent required by the GDPR. Otherwise, the working group recommends either to obtain new consent or to seek other legitimate grounds under Art. 6 of the Regulation.
Information provided on the basis of consent is often processed over a long period of time – one of the recommendations of the working group in this regard is to introduce periodic confirmation or re-consent.
It should be kept in mind that if personal data is processed on the basis of one of the grounds under Art. 6 of the Regulation, after its termination, the processing may not continue on any of the other grounds mentioned, unless this was originally provided for in the collection of personal data.
In relation to the requirement to introduce the GDPR, Georgiev, Todorov and Co. Law Offices and its partners offers package legal, technical and software consultations and analysis of the existing systems and processes of personal data processing, as well as development and description of company policies and systems to ensure compliance with the requirements of the Regulation. For any questions and inquiries, please do not hesitate to contact us.