GDPR’y Consent..

Consent is one of the six lawful basis prescribed by the EU GDPR(under Article 6 — Lawfulness of Processing). The EU GDPR also has set a high standard on how consent should be & what constitutes a valid consent.

C1. The following are the requirements for ‘consent’ to be ‘valid’ (Article 7). It must be a clear affirmative act(Recital 32) which is:

• Freely given
• Informed
• Specific
• Unambiguous

C2. The words used in the text to gain the consent must also be:

• Clearly distinguishable from other matters.
• Intelligible
• Easily accessible form
• Clear & plain language
• Should not contain unfair terms (Recital 42)

C3. Withdrawal of consent must:

• Be as easy as gaining consent.
• Trigger the data removal(if there are no other lawful basis for retaining the data)

C4. How can consent be obtained?

• Written statement
• Electronic mean(by Email or by checking unchecked tick boxes*)
• Oral means(over call or directly)

C5. What can constitute ‘consent’?

• Ticking a box when visiting an internet website
• Choosing technical settings for information society services
• Conduct which clearly indicates in this context the data subject’s acceptance

C6. What does not constitute ‘consent’?

• Silence
• Pre-ticked boxes*
• Inactivity
• If consent is a pre-condition to provide a service & the data subject is forced to accept the option(where there is no free choice).

C7. What if we are going to do multiple processing/operations on this data?

→ Consent should be given individually for all of them (Recital 32).

C8. What if we do not know the entire purposes of processing(at the time of collection) especially for scientific research purposes? (Recital 33)

→ Data subjects should be allowed to give their consent to certain areas of scientific research provided those areas have recognised ethical standards for scientific research.

C9. The most important requirement for Consent Management(refer C12) is that it must be demonstrable.

Therefore keeping a record of the following is required:

• Date & time when the consent was given.
• Date & time when the consent was withdrawn.
• The method/means used to gain the consent.
• The text that was presented to the data subject during the consent gaining process
• The processing operations presented vs. the actual processing carried out.

C10. What are the elements to be present in the consent gaining text/notice?

• The intended purposes of the processing(if there are multiple processing, then refer C7)
• The identity of Data Controller
• To what extent this consent is valid.
• The ability to withdraw consent & the means of how to.
• Any negative or legal effects on the data subjects because of this processing

There are different types of consents. Generally they are classified into:

• Implicit consent — is when a certain action implies that it constitutes consent.
• Explicit consent — is generally a written confirmation from the data subject.

What ever the type of consent used, it must fulfil all requirements mandated by the EU GDPR.

C11. Some situations when Consent could be/will be the lawful basis:

C11.1 — New purpose/processing on existing data(Article 6)

The following must be considered in this scenario:

• Relationship between the Data Subject and the Data Controller
• Reasonable expectation of the Data Subject
• Relation between the Primary & Secondary Purpose
• Types of data being used
• Possible consequences of this secondary processing for the data subjects.
• Security & safeguards in place for this secondary processing

C11.2 — Collecting new data or new category of data

• Data types & processing envisaged
• Data lifecycle: from Collection to Destruction
• Other legal requirements pertaining to this new data type or processing

C11.3 — Collecting or processing Sensitive data(as per GDPR)

• Meet the requirements of explicit consent
• Higher safeguards & data security for this type of data

C11.4 — When regulations, laws require Consent for certain processing activities

• Check whether the current Consent requirements & methods are consistent with the requirements of the other / new laws

C11.5 — Transfer of personal data to a third country or international organisation(Article 49)

• Meet the requirements of explicit consent
• Higher safeguards for this transfer of data

C12. Consent Management

As mentioned above, the most important part of consent management is that it must be demonstrable. Therefore keeping the consent details(refer C9) intact is the responsibility of the individual/team/product who gains the consent.

1. Maintain it in a central CRM system which serves as the Master Consent Database that is synced with other systems.
2. There may be different consents obtained for different purposes. All of this must be uniquely recorded in the CRM record of the data subject with all details described under the C9 header.
3. Remember that it is the responsibility of the individual/team/product to ensure this is properly adhered to.

C13. Consequences when Consent is ‘not valid’ or non-demonstrable or the processing exceeds the extent of the given consent (Article 83):

→ 20, 000, 000 Euros or in the case of an undertaking, 4% of the total worldwide annual turnover of the preceding financial year(which ever is higher).