Many data controllers consider consent as the primary or preferred legal basis for data processing. Although in many cases it would be justified to use another legal basis instead of the consent, data controllers often obtain consents from the data subjects.
Not only data controllers have this consent-centered approach, but as Article 29 Working Party’s (WP29) opinion analyzing the concept of consent also sets out: "The Directive clearly presents consent as a ground for lawfulness. However, some Member States see it as a preferred ground, sometimes close to a constitutional principle, linked to the status of data protection as a fundamental right." (Opinion No 15/2011 on the definition of consent, p. 7)
Article 7 of Directive 95/46/EC (the “Directive") laid down the legal bases on which legitimate data processing can be based. This list contains, in the first place, the consent of the data subject (Point (a) of Article 7). For historical reasons, and because of the fact that the information right of self-determination of the data subject may be exercised at the most through the right to provide consent for data processing, consent also has a priority role in creating a legal basis for data processing in Hungary. At the same time, it is also clear from the Hungarian data protection authority’s (NAIH) practice that data controllers also prefer to use consent as a legal basis for data processing in cases where the conditions of obtaining consent are not fulfilled (e.g. in the case of data processing in the workplace, due to the dependency based on the employer/employee relationship, consent can only exceptionally be the legal basis for data processing - see the Hungarian data protection authority’s Guidelines on Data Processing in an Employment Context).
The legal bases for data processing as defined in Article 6 of the GDPR are essentially the same as those set out in Article 7 of the Directive. What constitutes a significant novelty compared to the current situation is that, due to the direct effect of the Regulation, the rules will not be transposed by the Member States and thus situations where the direct effect of the Directive had to be relied on because of the lack of, or improper, transposition of the Member States can be avoided (e.g. the ASNEF case).
In the GDPR, consent is one of the legal grounds for lawful data processing, but it has no priority over the other legal grounds. It is therefore important that, if data processing can be lawfully made on a different legal basis, no consent is required. Consequently, data controllers need to carefully consider the legal basis for their intended processing and to act accordingly.
It is necessary to break with the practice that data controllers will also obtain consent to process data if data processing actually has a different legal basis since, in such cases, a data subject would receive misleading information regarding the data processing.
The Regulation also defines the concept of consent: "consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her "(Regulation, Article 4, Point 11)
The conceptual elements of consent are as follows:
- freely given,
- informed, and
Article 7 of the Regulation deals in detail with the terms of the consent. Also, in line with the principle of accountability, where processing is based on consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.
Consent can be given in many ways, for example by ticking a relevant box on the web site concerned, or by performing the appropriate technical settings. However, silence, pre-ticked boxes or inactivity should not therefore constitute consent. (Please also see Point 32 to the Preamble.)
When the processing has multiple purposes, consent should be given for all of them.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. The withdrawal of consent also shows that, in cases where another legal basis is available, it should be used, because otherwise the revocation of the consent will render the further processing of data impossible, or the sudden use of another legal basis due to the withdrawal would call into question the lawfulness of the entire data processing.
What about the consents that are made before the Regulation is applicable?
According to the Preamble to the Regulation (see Point 171), “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of the Regulation, so as to allow the controller to continue such processing after the date of application of the Regulation.”
As regards the consents made before the date of application of the Regulation, it is essential to consider whether the consent complies with the provisions of the Regulation. Data controllers should therefore review the previously obtained consents and verify that they are in full compliance with the provisions of the Regulation.
If so, the previously obtained consent remains a proper legal basis for data processing. If not, then one must look at the legal basis for data processing and, if it continues to be based on the giving of consent, then a new consent must be obtained.
Guidance is already available in some Member States on what should be done in relation to previous consents. In Germany, the Düsseldorf Circle (Düsseldorfer Kreis) stated in September 2016 that the consents previously obtained were in essence in line with the above criterion of the GDPR, i.e. consents received under German law will, in principle, be appropriate even after next May. It is important that full compliance with the obligation to provide information set out in Article 13 of the Regulation is not considered to be included in the conditions to be fulfilled under the GDPR when assessing compliance in accordance with Point 171 of the Preamble. Particular attention should however be paid to the voluntary nature of the consent and to the age limit set by the Regulation. In the lack of compliance with these, we cannot speak about a valid consent.
In the United Kingdom, ICO’s draft GDPR Consent Guidance essentially confirms that data controllers should thoroughly examine the adequacy of the previously obtained consents with regards to GDPR and whether the consent is properly documented. If one of these requirements is not fulfilled, another appropriate legal basis must be sought or a new consent must be obtained on the basis of the GDPR.