Guidelines On Consent Under Regulation 2016/679

The European Data Protection Board s Guidelines on consent under the GDPR were last revised and adopted on 10 April 2018.

Article 6 of the GDPR lists consent among the six lawful bases to process personal data. The Guidelines reiterate that it remains up to data controllers to innovate solutions ensuring that personal data has been processed on lawful grounds.

In the context of the GDPR, consent can serve as a lawful ground only in so far as it is genuine and the subject is in control of their choice of whether or not their personal data will be processed. Importantly, choice is only deemed genuine if there will be no detrimental consequences for the subject, should they decline their consent. However, even if consent is genuinely given, the controller remains under the obligations imposed by the GDPR and in particular, Article 5 s obligation for fairness, necessity and proportionality, as well as data quality. Furthermore, the obligations related to obtaining of consent under the GDPR are applicable to scenarios activating the e-Privacy Directive (soon to be e-Privacy Regulation).

Consent as defined in Article 4(11) of the GDPR is given freely, it is specific (i.e. with a reference to why and with regard to what the consent is sought) as it is informed and unambiguous. Importantly, the data subject retains a degree of control and is entitled to revoke their consent at a later date.

In this context, free means that the data subject has a real choice and control over the processing of their data. This indicates that any bundling up with the rest of the terms and conditions or the presence of power disbalance between the parties will render the consent invalid. Remember that the GDPR s obligations on free given consent are context sensitive and Article 7(4) of the Regulation opens the door to possible breaches that are not enumerated within its provisions.

With respect to imbalance of power, the Guidelines make a point that consent may also be used by public authorities albeit this is likely to happen in specific and rare circumstances. In most case, public authorities will be able to rely on other grounds for consent such as when processing is necessary for compliance with a legal obligation and/or when the public interest test has been triggered. Another area where imbalance of power may occur is in an employment context where it is unlikely that consent can be genuinely and freely given. Of course, this does not mean that in certain, specific circumstances employers cannot rely on this ground for consent.

Furthermore, with regard to conditionality of consent or bundling and tying of consent to terms and conditions and/or to the provision of services, the GDPR is clear that such practices are extremely suspect and should be avoided. Importantly, the Guidelines state that the two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred. To this end, and in order to determine whether any improper conditionality has taken place, the data controller must take account of the scope of the contract and then decide what the minimum data necessary to perform the contract is. The term necessary is interpreted strictly and a direct and objective link is required between the data and the purpose of the contract.