Consent for personal data processing

Processing of personal data after obtaining a consent of a data subject is one of the most popular grounds for the processing of personal data (specified in Article 6 (1) (a) of the GDPR^[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)). Controllers willingly use this option and collect consents for processing, even if there is a different basis for processing. Unfortunately, it happens often that consent is not obtained properly. In this post, I would like to show how to obtain consent for personal data processing in accordance with the law, and therefor safely for the administrator. GDPR contains a number of guidelines in this regard. All you need to do is apply them properly.

Content and form of consent to processing of personal data

First of all, consent to the processing of personal data should be understandable to the person granting it. The data subject should be aware of what he or she agrees to – to the processing of what data and for what purpose. GDPR expressly states that the request for consent must be presented in an understandable and easily accessible form, in clear and simple language. The consent should therefore be formulated in an uncomplicated way, without any strange elements. If you don’t want to add to the content of the consent any provisions in connection with the information obligation, one short sentence beginning with “I consent to processing…” and then specifying what data and for what purpose will be processed, is enough.

Rarely, we deal with a situation in which someone by his or her hand or in an e-mail, writes a sentence that he or she agrees to the processing of personal data. Usually, consent is an element of a form in paper or electronic form. In such situation, it is still necessary to think how the data subject will express the will to give consent. In my opinion, the best option is to put a check-box next to the consent text (such tiny square), by marking which consent will be expressed. You cannot forget to provide the data of the person granting the consent, and in the case of the paper form – also the signature. This is very important for identifying the person who gave consent.

One check-box, one consent

Combining consent to the processing of personal data with other consents or statements (e.g. consent to receive commercial information by electronic means or acceptance of the regulations) is a common mistake of data controllers. This practice is inconsistent with GDPR, which requires:

1. if the data subject consents in a written statement, which also applies to other issues – that the request for consent is presented in a way that clearly distinguishes it from other issues;
2. that consent is given voluntarily.

Combination of several consents in one declaration means that both of the above requirements are not met. The consent to the processing of personal data will not be clearly separated from the other consent, and the inability to grant only the other consent will force to give consent to the processing of personal data.

In implementation of the above rules, the application of a simple rule is very useful – one check-box, one consent. If such approach significantly expands the form filled in by the user, it is worth considering the processing of personal data on a basis other than consent. It is very often possible and allows to remove one check-box and provide better user experience.

The consent can always be withdrawn

Another very important rule provided for in GDPR is the unconditional possibility of withdrawing consent to the processing by the data subject. Moreover, GDPR requires that withdrawing consent should be as easy as expressing it. To meet these requirements, a simple procedure for withdrawing consent should be developed – e.g. by clicking a button on the user’s account or indicating the e-mail address to which a message with a declaration of withdrawal of consent should be sent.

After the consent is withdrawn, personal data should usually be deleted. However, there are situations where the controller will be able to continue processing them, but on a different legal basis (of course, after the prior fulfillment of the information obligation also in the scope of this basis). Withdrawal of consent also doesn’t make the processing of data unlawful before the consent is withdrawn. Only further processing based on consent will be contrary to GDPR, unless there is another legal basis (e.g. processing necessary for the purposes of the legitimate interests pursued by the administrator).

Electronic services and child consent

A specific regime is provided for consent to the processing of personal data by a child in the case of information society services (this is what these services are called in GDPR, but they can generally be defined as electronic services). In such situation, only a child who is 16 years of age or older at the time of giving consent may effectively consent to the processing of data. In the case of younger children, consent should be given or approved by the child’s legal guardian.

Demonstration of obtaining consent by the administrator

GDPR requires the controller to be able to demonstrate that the data subject has consented to the processing of his or her personal data. Therefore, verbally obtaining consent is not the best idea – if the conversation was not recorded, there is no permanent trace that the person has given the consent. It is much better to obtain consent in writing, document form or other electronic form (e.g. through system logs confirming the selection of the appropriate check-box in the online form), and then archiving them accordingly.