Since the General Data Protection Regulation (GDPR) became fully enforceable from Friday, 25 May, 2018, across the European Union (EU), there’s been a lot of confusion and even panic as to when it’s appropriate to use consent as the legal basis for processing the personal data of a customer or client.
You may have noticed a lot of customers automatically assumed consent was the only way to continue to process personal data legally. This was a big misunderstanding, particularly when companies want to send direct marketing to people after 25 May, as they may be able to rely on other valid legal grounds, such as legitimate interest, without the need for consent. In such circumstances, provided those companies carried out a legitimate interest assessment that includes not overriding the rights, interests, and freedoms of individuals—then consent isn’t always necessary, although the customer has the right to refuse to receive further marketing information.
Tip: Remember that consent will need to be the most appropriate ground to use in that situation, so this needs to be carefully thought through.
Definition of consent under GDPR
Under Art.4 (11), GDPR: “Consent of the Data Subject means any freely given, specific, and informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Tip: On reading this definition, it’s clear that consent can’t be implied from silence, as it requires knowledge and active agreement. Consent can’t be imposed on an individual or implied where there’s a significant imbalance of power. And it’s unlikely consent can be achieved by the use of legal gobbledygook or overcomplicated terms and conditions.
In this blog, we’ll focus on the conditions for consent in the normal, everyday interactions that may occur in a business context for managed services providers (MSPs) (Art.7, GDPR).
However, there are special conditions applicable to consent of a child (Art.8, GDPR) and where processing a special category of personal data, such as biometric or health data, which require explicit consent (Art.9, GDPR).
In simple terms, there mustn’t be any room for confusion as to the intentions of the customer or client in giving their consent. So if a customer were to untick a pre-ticked box to unsubscribe, this would not be valid consent under the GDPR. Similarly, sending any form of communication to a customer or client that states “consent will be assumed unless we hear otherwise” would also be considered a breach of the GDPR.
Requirement for consent from the customer or client to be ‘specific’ and ‘informed’
This means that, before an individual gives consent, they must be informed of the purposes for the processing of their data, and it should be just as easy to withdraw their consent at any time as it is to give it in the first place.
Tip: The Information Commissioner’s Office (ICO) in the UK has recently published guidance, listing seven important elements of ‘consent’ in the GDPR, below are the highlights of their guidance.
Seven things to watch out for with consent
The MSP customer who is generally considered the Data Controller, will have the burden of proving that the Data Subject (their end customer) has given their consent to the processing of their data and must be able to demonstrate that the consent met the requirements under the GDPR.
Tip: Keeping and maintaining accurate and up-to-date records is essential for all clients.
If the consent is obtained in the course of a Data Subject engaging in another transaction (e.g., buying goods/services), the Data Controller will need to be sure the Data Subject is aware they have given consent to data collection and processing and to what extent consent is being given.
Tip: The requirement to give consent will have to be presented in a manner that is clearly distinguishable from the other acknowledgments or agreements required from the Data Subject.
Example: Website operators will have to ensure that, if consent is required in relation to data collection/processing, consent is collected in such a way that they obtain a specific and clear consent from their users that allows them to comply with their legal obligation while, at the same time, not interrupting or otherwise affecting the user’s online experience. Hence clicking on a tick-box online seems to be a good alternative to making a statement of consent. They’ll also have to ensure website privacy policies reflect the new consent and notice requirements under the GDPR.
The Data Subject has the right to withdraw her/his consent at any time and must be told about this right.
Tip: Note the withdrawal of consent won’t affect the lawfulness of processing based on consent before its withdrawal nor will it affect the lawfulness of processing of personal data based on other grounds.
Consent won’t provide a legal basis for data processing, where there’s a significant imbalance between the position of the Data Subject and the Data Controller, and this imbalance makes it unlikely that consent is freely given (Recital 34, GDPR).
In addition, "utmost account" must be given to whether the performance of a contract is made conditional on consent to personal data processing that’s not necessary for the performance of the contract (Art. 7, GDPR).
Tip: Given the imbalance of power in an employment context, the processing of personal data of employees in furtherance of their employment needs to be done under other legal grounds, such as legitimate interest. Under Art.82, GDPR, there’s a provision for EU Member States to pass their own laws related to personal data processing in the employment context, and this may include additional rules relating to consents and notices.
For more support with GDPR, check out our GDPR Resource Center
© 2018 SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd. All rights reserved.
Disclaimer: This blog does not represent the views of SolarWinds MSP.