One of the most significant changes in the General Data Protection Regulation (hereinafter, “GDPR”) is consent management. Specifically, consent is regulated in Art. 6 – lawfulness of processing -, in Art. 7 – conditions for consent – and, finally, in Art. 9 – in relation to the processing of special categories of personal data. It is also referred to, with the aim of providing greater clarity to its management, throughout the various recitals of the GDPR.
How should We Request Consent?
Now, when requesting GDPR consent, how should we carry out its collection to ensure it complies with all the guarantees provided by the regulation? This is important because good management of consents will help your company demonstrate faithful compliance with personal data protection regulations.
Therefore, once it has been determined that consent is the basis that legitimizes the processing, the company must implement a strategy for its correct collection from the data subject. It is also important that the company can demonstrate in the future the method of collection and, where applicable, the different processing purposes that have been consented to by the data subject.
Specifically, GDPR consent management must comply with the following points:
- It must be given through a clear affirmative act that reflects a free, specific, and unambiguous manifestation of the data subject’s will to accept the processing.
- It must be clearly informed prior to its collection.
- When the processing has several purposes, consent must be given for all of them, that is, as many consents as there are purposes in the processing must be provided.
- If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disrupt the use of the service for which it is provided.
It is important to note that silence, pre-ticked boxes, or inaction do not constitute consent. Consent must be given expressly by the data subject, as any other form of collection does not constitute valid or legitimate consent. It is also not valid if the provision of the service depends on consent or if it cannot be guaranteed that it is freely given, for example, if the data subject cannot withdraw it or does not have a true and free choice.
This last point is very relevant, especially when we refer to personal data processing in the “employee-company” context. This is because it is unlikely that consent constitutes a legal basis for data processing in the workplace, unless employees can refuse processing without adverse consequences.
Management of GDPR Consent Withdrawal
Finally, another aspect to consider when managing consent is its withdrawal, as it must be possible for the data subject to withdraw it at any time. The GDPR is very clear on this aspect and states in its literal that “it shall be as easy to withdraw as to give consent”. A good practice would be to use the same method for withdrawing consent as for giving it. It is common to find a single step for obtaining consent, but having to go through multiple steps if we later want to withdraw it.
As an example, if express consent for sending commercial communications is obtained through a web form and it is informed that withdrawal must be done by contacting a call center on working days from 8 am to 5 pm, this practice would not comply with Art. 7.3 GDPR. Withdrawing consent in this case requires a phone call during business hours, which is more complicated than clicking through a web form available 24 hours a day, 7 days a week.
At GlobalSuite Solutions, we have more than 15 years of experience in Personal Data Protection and Information Security through our GlobalSuite® software. Additionally, our specialized consulting teams offer the necessary advice and support to help companies define correct protocols for personal data processing, determination of legitimate legal bases, consent management, among others, in order to comply with the requirements demanded by the GDPR and the LOPDGDD.
