Processing of personal data: consent requirements under GDPR

The GDPR’s impact on consent.

The GDPR came into force on May 25, 2016 and therefore its legal requirements apply now throughout the European Union (since May 25, 2018). Under the previous general EU Privacy Directive (no. 46 of 1995) companies – and their marketing departments – tended to consider data subject’s consent as the primary and most efficient mean to grant correct and legal processing of personal data. Hence, they used to be extremely generous in placing (not to say disseminating) consent forms/ticker boxes everywhere to put themselves on the safe side. Once a ‘consent’ was achieved, everybody felt that he could relax and go on with doing business as usual.

What’s new, what’s not.

Did the GDPR introduce significant changes as to the consent requirements? Not really, only slight differences with respect to the previous provisions may be found. What about the gazillions of consents collected in the past, are they still valid under GDPR? Maybe.

As to the first aspect, we should consider that:

• ‘Consent’ stays on as one of more lawful bases (listed in the Regulation) for legitimate processing. To be valid it must result in a “freely given, specific, informed and unambiguous indication of the data subject's” “agreement to the processing of personal data” in relation to one or more specific purposes.
• Should a company elect ‘consent’ as its legal basis for handling an individual’s personal data, it must stick to such choice during the entire process (no silent switches to other legal bases being allowed). Furthermore, in such case data subjects must be offered a mechanism for withdrawal as easy as the one previously used for collecting consent.
• Bearing in mind that ‘consent’ always refers to specific purposes, it follows that data subjects must be provided with in-advance information about both, to all scopes as well as to all further uses of the data collected and stored. Such information must be clear and easy to understand, i.e. in a language immediately accessible by the average person and apt to the kind of audience targeted with the consent request. Such requirement is particularly important, when minors or other vulnerable natural persons are addressed (whom the GDPR sets – in article 8 – additional layers of protection for). Companies need to understand that complying with the information requirement is an ongoing challenge, especially in times, when data collection and processing faces a rapidly and continuously changing technological environment.
• Finally, companies need to be able to substantiate that they have asked for – and have obtained – targeted data subjects’ consent. Such capacity will result crucial any time a company finds itself under the scrutiny of a regulatory Authority.

What about “old” consent?

As to consent previously obtained, companies should not get too excited about the indication of Recital 171 of the GDPR, according to which: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”

I could result risky to conclude that such statement allows controllers to simply continue the processing of all data previously collected and that such further use would be automatically covered by an earlier achieved consent. The Recital is clear in setting that such further processing may occur only “where processing … is in line with the conditions of this Regulation.”Therefore, companies should consider that ‘consent’ implies the fulfilment of a – preliminary – ‘information’ requirement, meaning that, in the first place, data subjects must be offered a ‘notice’ about the purposes and planned uses of the data collected and stored. Hence, the indication of such ‘notice’ delimit the scope of data’s processing.

Unfortunately, under the GDPR’s provisions the notice requirements are not identical to those laid down in the (old) general Privacy Directive (no. 46 of 1995) but have been broadened. Regulation no. 679 of 2016 now also requires indications as to: the ‘legal basis’ of data’s processing, the controller’s intention to transfer data collected to third countries, the period of data storage (or the criteria to determine such period), the elements capable of individuating the collection’s ‘legitimate interest’ (when such criterion is chosen for data’s processing), data subject’s right to ask the controller to ‘erase’ the personal information stored (so-called ‘right to be forgotten’), the right to withdraw previously issued consent at any time (in certain cases), the right to lodge a complaint with a Supervisory Authority, the source from which the data collected had been obtained, the “existence of automated decision-making profiling” and “meaningful information about the logic involved as well as the significance and the envisaged consequences ...”.

Think, check and think again!

Marketers will therefore need – before hastily relying on consent previously given – to verify the scopes covered by such consent, i.e. the content of the notice previously offered to data subjects. Should the earlier notice not contain all the indications now required by the GDPR, they should not hesitate to serve data subjects with a new notice (in line with the GDPR’s provisions). The GDPR’s sanctions regime should prevent everybody from choosing a light-hearted approach to the fulfilment of the specific requirement.