Consent is one of the most well-known legal bases for processing personal data. It is the subject of various provisions in the GDPR, and can only be considered legally valid and effective if some conditions are met.
This article will go through the requirements laid down by the GDPR to collect valid consent for processing personal data and to correctly document such consent to ensure compliance.
|What is consent under the GDPR?|
|Who is responsible for collecting consent?|
|What are the requirements for consent under the GDPR?|
|How to collect consent easily, digitally, and with GDPR-compliance in mind|
What is consent under the GDPR?
According to the General Data Protection Regulation (GDPR), “consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her.
Who is responsible for collecting consent?
The data controller must obtain consent from the persons affected by the data processing. Moreover, records of such consent must be kept – including what the person has consented to and when, where, and how this consent was expressed.
What are the requirements for consent under the GDPR?
Under the GDPR, consent is legally valid and effective if it is:
1. Freely given
Consent must be given voluntarily by the individual.
This implies a real choice by the data subject – so any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. This is why consent should not be a precondition to the provision of any service unless it is an essential element in that service.
Consent must be given after the person was notified about who is going to collect and process their data (i.e., who is the data controller and who are the third parties that will be relying on the consent), what kind of data will be processed, how it will be used, and for which purposes.
The individual also needs to be informed about their rights and the possibility of withdrawing consent at any time (which should be just as easy as giving consent).
Consent should be linked to one or several specified and sufficiently explained purposes.
The request for consent should always be a standalone mechanism, kept separate from information about other contractual matters, terms, and conditions. In other words, if consent is to be collected at the moment of the signature of another agreement, the consent to data processing should be collected separately from the agreement.
Moreover, when the processing has multiple purposes, consent should be given for all of them separately. Similarly, when multiple types of processing are involved, granular options should be ensured to express differing degrees of consent via separated actions.
Consent cannot be implied. It must be expressed through a statement or a clear affirmative act such as an opt-in, a declaration, or an active motion – excluding any possibility of misunderstanding.
“Opt-out” mechanisms with pre-checked boxes are explicitly not allowed by the Regulation.
Written consent is recommended; however, no form requirement must be met. It can also be given in electronic form, provided that the request for consent is presented in an intelligible and easily accessible form, using clear and plain language. For example, consent can be given by ticking or clicking a box when visiting a website or signing a form online.
How to collect consent easily, digitally, and with GDPR-compliance in mind
The violation of the conditions for consent is one of the infringements for which companies can face more significant liability when it comes to GDPR compliance audits and penalties. It follows that particular attention must be paid to them. The good news is that Penneo can help you meet the GDPR requirements for consent.
With Penneo, you can:
- Use forms to collect personal information through secure and encrypted channels.
- Use digital signatures to capture consent.
- Document who expressed consent, how and when this happened, who obtained it, and for what purposes in comprehensive court-admissible audit trails.
- Enable granular options within the digital documents to capture consent separately for different types of data processing.
- Allow individuals to sign documents separately to obtain consent in combination with the signature of other documents.
- Request the renewing of consent regularly, easily, and digitally.
When it comes to online interactions, being able to document the other party’s consent is crucial to demonstrating the validity of a digital transaction. With Penneo, collecting consent online becomes easier and safer – both for you and for your customers.