loading...

European Data Authority – EDPB Publishes Guide With Rules For Consent

The European Data Protection Board (EDPB) issued on May 4, 2020 the Guide 05/2020 with rules applicable to the consent of the personal data, under the Data Protection Law, in force at the European Union – GDPR (General Data Protection Resolution).

It is important to note that these rules despite being addressed to the European law – GDPR, serve to guide the understanding of consent also with regard to the Brazilian law – LGPD, since their contents related to consent are very similar.

The consent of the personal data subject, in accordance with Art. 4, 11 of the GDPR, is defined as a free, specific, informed and explicit expression of will, by which the data subject accepts, by means of an unequivocal positive statement or act , that the personal data concerning subject are processed.

Therefore, elements of valid consent are the following:

ELEMENTS OF VALID CONSENT

1. Free

  • The subject must have a real choice as to whether or not to give consent. If the subject is forced or his refusal has negative consequences, the consent will not be considered valid.
  • If the consent is grouped as part of non-negotiable terms and conditions, such consent will also not be considered valid.
  • The subject must be given the right to refuse or withdraw consent without any prejudice, otherwise it will not be considered valid.
  • Any element of pressure or inappropriate influence on the data subject (which may manifest itself in various ways) that prevents the data subject from exercising his free will, will invalidate consent.

2. Specific

  • Consent must be given in relation to one or more specific purposes, and the data subject must have the option to choose each one, or the consent will be invalid.
  • The purpose (s) must be specific, explicit and legitimate (s) for the exercise of the data processing, or the consent will be invalid.
  • It must reflect the degree of control of data use and transparency for its subject, or consent will be invalid.
  • If the controller needs to process the subject’s personal data for another purpose, not provided for in the consent, additional consent must be obtained from the subject for that purpose, or the consent for that new purpose will be invalid.

3. Informed

  • The request for consent must be clearly informed, since transparency is one of the fundamental principles of GDPR, under penalty of invalidity of consent.
  • Information to the data subject must precede his consent, in order to enable him to exercise his right of free choice, under penalty of invalidity of consent.
  • The following minimum information must be provided to the data subject, under penalty of invalidity of consent: (i) the identity of the controller (if personal data is shared with more than one controller, their identities must be named), (ii) the purpose of each of the activities for which consent is required, (iii) what types of data will be collected and processed, (iv) the existence of the right to withdraw consent, (v) information on the use of the data for decisions automated, when relevant and (vi) potential risks in data transfer due to lack of adequate decisions and safeguards.
  • Long data usage policies and legal jargon, that is, lack of objective and clear language can render consent invalid.

4. Explicit, for which the data subject accepts, by unambiguous positive statement or act

  • The data subject must take a deliberate action to offer his consent, that is, the consent by default of the data subject to deny it will render him invalid.
  • The use of pre-checked check boxes makes consent invalid.
  • Silence or inactivity of the data subject makes consent invalid.
  • The use of a service without an action by the subject of the personal data to offer his consent, renders the argument of the existence of consent invalid.
  • When consent is obtained by electronic means, the refusal of consent should not be unnecessarily impeding the use of the service or application; unless such use without consent would result in a violation of the law.

The GDPR establishes certain situations in which explicit consent is mandatory. Such situations are those in which serious risks to data protection arise, and therefore, where a high level of individual control over personal data is considered appropriate. Such situations are as follows:

• Sensitive personal data,

• Data transfers to foreign countries or international organizations, and

• Automated individual decisions, including profiling.

The explicit consent can preferably be written, although even oral consent recorded or digitally obtained as in an email, etc … are accepted, as long as they are unambiguous.

Two-step consent verification can also be a way to ensure that explicit consent is valid. If, for example, a data subject receives an email notifying him of the controller’s intention to process a record containing medical data and requesting his consent to the use of a specific set of information for a specific purpose, accept that it would be provided via an email response containing the statement “I agree”. After the response has been sent, the data subject would receive a verification link that should be clicked or an SMS message with a verification code to confirm acceptance.

When consent is obtained digitally, such as an option box or e-mail, it is important to note that the same facility must be granted to the data subject for the withdrawal of their consent.

It is important to note that the burden of demonstrating valid consent is always with the controller (usually the company) and not with the data subject.

Authors: Douglas Leite and Alexandre Dalmasso