Consent within the GDPR

The General Data Protection Regulation (GDPR) sets out much more stringent requirements in regards to consent from the data subjects.

You can download this here: GDPR-02-Consent

Requirements for Consent:

  • A Data Controller must be able to clearly demonstrate that consent has been given by a Data Subject.
  • There can no longer be consent assumed by silence, inactivity or pre-ticked boxes.
  • Data Subjects must be aware of a Data Controller’s identity, how the Data Controller may be easily contacted, and also the purposes for which consent is sought.
  • Data Subjects must be aware of the full extent of the processing to which they are consenting.
  • The request for consent must be clearly distinguishable from other matters and not buried inside a lengthy Terms of Use, for example. It shall also be intelligible, easily accessible, clear and written in plain language.
  • A Data Subject can withdraw consent at any time. The consent must be as easily revoked as it was given. This right must be clearly communicated to Data Subjects.
  • Separate consents must be obtained for distinct processing operations.
  • The GDPR does exempt a Data Controller from obtaining consent for subsequent processing operations if the operations are “compatible”.
  • Consent must be a genuine free choice (see below in regards to an employee data context).
  • The supply of services is not made contingent on consent to processing which is not necessary for the service being supplied. For example, if somebody is signing up to receive a telephony service, they cannot be refused that service if they chose not to receive a newsletter from the service provider.
  • The processing of personal data in relation to information society services, of a child below the age of 13 years (some member states may have higher limits up to the age of 16) shall only be lawful if consent is given or authorised by the child’s parent or guardian. The Data Controller must make reasonable efforts to obtain verifiable consent.
  • If your organisation relies on consent to process personal data for the purpose of scientific research, consider offering data subjects the opportunity to consent only to certain areas of research or parts of research projects.

Employee data:

Member States are permitted to establish (either by law or through collective agreements) more specific rules in respect of the processing of employee personal data, covering every major aspect of the employment cycle from recruitment to termination. This includes the ability to implement rules setting out when consent may be deemed valid in an employment relationship. Such rules must include specific measures to safeguard the data subject’s “dignity, legitimate interests and fundamental rights” and the GDPR cites transparency of processing, intragroup transfers and monitoring systems as areas where specific regard for these issues is required.