In order for consent to the processing of personal data to be considered a valid basis for processing, it must:
Be given freely
Be given for a specific purpose
Be given in an informed manner
Be given by a statement or a clear affirmative act as an unambiguous demonstration of the data subject’s wishes
Signify agreement to the processing of personal data relating to the person who has given consent
It is advisable that controllers, before starting to process personal data based on consent, thoroughly assess and document the assessment of whether the content, the manner of collection and the form of the request for consent comply with the aforementioned conditions.
The main feature of consent as a ground for processing personal data is that the existence of this ground for processing depends entirely and exclusively on the person who has given consent. The person who has given consent has the right to withdraw it at any time. Importantly, the withdrawal of consent shall not entail any negative consequences for the person who gave it and subsequently withdrew it.
Polish labour law introduces additional conditions with regard to the processing of personal data of employees or job applicants by the employer on the basis of their consent - it is necessary to take these into utmost account when personal data is processed by the employer on the basis of the data subject’s consent.
What is consent to the processing of personal data?
Consent for the processing of personal data is one of the bases for data processing. This means that consent is one of the circumstances that, when present, causes the controller to be able to process certain personal data. However, if the data controller identifies another adequate basis for data processing (e.g. the processing of data is necessary for the conclusion of a contract), then the processing of personal data on the basis of consent will be incorrect and, as such, may be considered an action in breach of the provisions of the GDPR. The common belief that taking away consent is always the safest solution is therefore incorrect.
Example: The Labour Code clearly defines what personal data an employer may process. This data includes information on the employee's date of birth. The employer processes this kind of data on the basis of Article 6(1)(c) of the Labour Code and taking away consent in this respect would be an incorrect practice.
When considering what is the legal basis for data processing, it is useful to answer the questions:
Why is data processing necessary?
Does it derive from legislation?
Is it an obligation or an entitlement?
is the provision of such data indispensible for the conclusion or performance of the contract?
The answers to these questions will help to determine what is the appropriate basis for processing.
What conditions must the consent meet?
In order for consent to process personal data to be considered a valid and effective basis for processing, the consent must be:
freely given;
specific;
informed;
unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (with the understanding that in some specific cases consent will be given by another person, as when a parent gives consent in relation to his/her child's data).
If it turns out that the consent to data processing does not meet all these conditions, processing based on such consent would constitute a breach of the GDPR by the processing entity. In addition, in such a case, the mere fact of determining the content and manner of collecting consents in breach of the legal requirements could be considered a breach of the GDPR.
It is advisable that, before starting to process personal data based on consent, the controller thoroughly assesses (and documents this assessment for accountability purposes) whether the content and the manner of data collection as well as the form of the consent request comply with the above conditions.
In addition - due to a number of considerations related to the processing of personal data based on consent (described in more detail below) - it is advisable for a controller planning data processing based on consent to consider in each case whether another adequate basis for data processing can be identified in relation to the intended processing, e.g. data processing in the performance of a contract or data processing based on the so-called legitimate interest of the controller or a third party.
When can consent be considered voluntary?
The key element necessary for consent to be considered valid and capable of forming the basis for data processing is that it is freely given by the data subject; the decision to give consent actually depends solely on the free decision of the data subject and is not, in particular, the result of pressure, fear, deception or even excessive incitement.
the element of “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if he or she does not consent, then consent will not be valid (…). In fact, any element of undue pressure or undue influence on the data subject (which may manifest itself in many different ways), preventing the data subject from freely expressing his or her will, will render the consent invalid.
The GDPR also gives a number of instructions helpful in assessing whether in the case at hand it can be affirmed that the consent has not have been given freely. Recital 42 of the GDPR indicates that:
Consent should not be considered to be freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
If, for example, the refusal to give consent to data processing was linked to a significantly lower quality of services provided to the data subject, it would be difficult to consider such consent to have been given freely. Similarly, if the data processing were structured in such a way that the person who gives consent obtains a benefit as a result thereof (e.g. a discount or access to a better quality of services), but at the time of withdrawal of consent must return the obtained benefit (e.g. return the discount or pay extra for certain services), such consent to data processing could be considered invalid under the GDPR.
In turn, Recital 43 of the GDPR, in turn, states that:
in order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.
Such an imbalance may exist in a variety of circumstances - it is advisable for the controller to consider whether there will be a risk of imbalance between him/her and the persons who are to give consent in a particular case before starting the consent collection process.
In practice, of great importance is the imbalance between the employer and the employee / job applicant, as emphasised in particular by the European Data Protection Supervisor (EDPS) in the consent guidelines:
Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal.
The EDPS therefore recognises that,
in the case of employers, it is problematic for employers to process personal data of current or future employees on the basis of their consent as it is unlikely to be freely given.
This means that employer's processing of personal data of employees / job applicants based on the consent they have given may only be legitimate in absolutely exceptional cases, and that the employer, when deciding in such cases to process personal data on the basis of consent, should document the rationale behind his/her assessment that relying on consent in such cases does not violate the requirement that the consent be “freely” given.
Furthermore, Recital 43 of the GDPR states that
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.
According to the Consent Guidelines,
If the controller has conflated several purposes of processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. (...) When processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose.
The above requirement is closely linked to the requirement of concreteness of consent, which is elaborated below.
Recital 43 of the GDPR further states that:
consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent, despite such consent not being necessary for such performance.
In practice, in order to assess whether, in a given case, consent to the processing of data is necessary for the performance of a contract or the provision of a service, it is necessary to consider whether, judging objectively, it is impossible to perform the contract or service offered by the controller without prior consent. If, without prior consent and without processing of personal data to the extent and in the manner indicated in the intended consent, itis objectively possible for thecontroller to perform the offered service or contract, consent to the processing of personal data collected in such circumstances may be deemed invalid.
As an example of a situation where consent is not free, the EDPS points to the following scenario:
A mobile photo editing app asks users to activate their GPS location in order to start using its services. The app also informs users that it will use the collected data for behavioural advertising. Neither geo-location nor online behavioural advertising are necessary for the photo editing service and go beyond the provision of the basic service. As users cannot use the app without consenting to these services, consent cannot be considered as freely given.
However, the above raises the question of what if, without prior consent, it is objectively possible to provide a service, albeit in a slightly different scope or form than the service that would have been provided if consent had been given. The EDPS explains in the Consent Guidelines that:
a controller could argue that his organisation offers data subjects genuine choice if they were able to choose between a service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by the same controller that does not involve consenting to data use for additional purposes on the other hand. As long as there is a possibility to have the contract performed or the contracted service delivered by this controller without consenting to the other or additional data use in question, this means there is no longer a conditional service. However, both services need to be genuinely equivalent.
In the view of the EDPS,
consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand. In such a case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely equivalent. It would furthermore imply an obligation for controllers to monitor market developments to ensure the continued validity of consent for their data processing activities, as a competitor may alter its service at a later stage. Hence, using this argument means a consent relying on an alternative option offered by a third party fails to comply with the GDPR, meaning that a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent.
Therefore, it is evident that making the performance of a contract or service conditional on the provision of consent can be very problematic. If a controller plans to do so, he or she should first carefully consider, justify and document the arguments supporting his or her view that, in this particular case, the collection of consent can be deemed not to breach the requirement of freedom, in particular that the offered services are genuinely equivalent.
When can consent be considered to be given for a specific purpose?
In order for consent to be deemed to be given for a specific purpose, the content of the consent should relate to a narrowly defined purpose and the intended processing of the data on the basis of the consent. In other words, the consent should clearly indicate what activities related to personal data, for what purpose (one purpose and not several purposes) and in relation to which categories of data the controller intends to perform.
Importantly, if a controller plans to process personal data on the basis of consent for a number of different purposes he or she should, according to the Consent Guidelines:
ensure that consent can be given separately for each of these purposes to allow users to give specific consent for specific purposes. (...) In addition, in each separate request for consent, controllers should provide details of the data processed for each purpose, in order to make data subjects aware of the implications of the different choices they may make.
As can be seen from the above, in order to mitigate the risk of violating the GDPR and exposing the validity of consent to scrutiny, controllers should when drafting the content of consent pay particular attention to specifying precisely the intended purpose of data processing on the basis of that consent and assess in each case whether the content of consent actually covers only one purpose of processing.
When can consent be considered to be given in an informed manner?
For consent to be informed, it is necessary to inform the data subject in an accessible, comprehensible and readable manner of certain elements that are crucial to making a choice The Consent Guidelines emphasise that “the message should be understandable for the average person, not only for lawyers”, and that “information relevant to making informed decisions on whether or not to give consent may not be hidden in general terms and conditions”.
Regarding the minimum range of information, the Consent Guidelines indicate that
at least the following information is required for obtaining valid consent:
the controller’s identity;
the purpose of each of the processing operations for which consent is sought;
what (type of) data will be collected and used;
the existence of the right to withdraw consent;
information about the use of the data for automated decision-making in accordance with GDPR Article 22(2)(c) where relevant; and
information on the possible risks of data transfers [outside the EEA - editor's note] due to the absence of an adequacy decision and of appropriate safeguards as described in GDPR Article 46.
The form and the manner in which the abovementioned information is transferred should be adapted to the categories of recipients targeted to give consent. As the EDPS points out, “for example, where processing is addressed to a child, it should be in such a clear and plain language that the child can easily understand”. In addition, “such information may be provided in various ways, such as in the form of written or oral statements or audio or video messages”.
In addition, it seems advisable for the controller who addresses his/her consent requests to individuals speaking different languages, e.g. living in different EEA countries, to draw them up in these languages.
When can consent be deemed to be given in the form of an unambiguous demonstration of intent by way of a statement or explicit affirmative act?
In order for consent to be deemed given in the form of an unambiguous demonstration of intent by way of a statement or an explicit affirmative act, the manner in which consent is collected must provide that the giving of consent requires some kind of action on the part of the person giving consent. In other words, the consent collection process should not be structured in such a way that the data subject gives his or her consent without performing any additional action (be it by ticking a box and signing a document, ticking a checkbox, clicking on a tile or link on a website, or, if it is a telephone call, clearly stating out loud that he or she is giving consent). The manner in which consent is given should be tailored to the communication channel through which it is collected. The controller should ensure that there is no ambiguity as to whether the data subject has actually performed an act confirming his or her consent.
Recital 32 of the GDPR further indicates that:
consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. (...) If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
The Consent Guidelines further clarify that, in particular, “(...) simply continuing to use the service cannot be considered as an active indication of choice”. Then they indicate that:
consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service. Blanketacceptance of general terms and conditions cannot be seen as a clear affirmative act to consent to the use of personal data. The GDPR does not allow controllers to offer pre-ticked boxes or opt-out mechanisms that require an intervention from the data subject to prevent agreement (for example, ‘opt-out’ boxes). An active affirmative motion by which the data subject indicates consent may be necessary when a less infringing or disturbing modus would result in ambiguity. Thus, it may be necessary that a consent request interrupts the use experience to some extent to make that request effective.
When can consent be deemed to authorise the processing of personal data of the person who gives that consent?
In order for consent to be deemed to authorise the processing of personal data of the person who gives that consent, it must be clear from its content that, if consent is given, the controller will process the personal data of the person who gives it, for the purpose and to the extent indicated in the consent. This requirement combines with the requirement of concreteness and informed choice referred to above.
What additional conditions must be met by consent in a written statement?
The GDPR provides additional requirements for consents collected in a written declaration. For example, it is advisable - in order to reduce risks and for the sake of greater transparency and fairness of the processing - that ‘written declaration’ should mean not only a declaration written and signed on paper, but also a written declaration made in electronic form.
According to the GDPR,
if the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this GDPR shall not be binding.
In practical terms, it is crucial that the document which covers consent to data processing and other issues be worded in such a way that the consent cannot be considered to be ‘hidden’ or difficult to notice. To this end, use should be made of appropriate graphic solutions (e.g. highlighting by colour or border) and editorial solutions, e.g. highlighting by placing consent within separate sections or separate pages of the document (as appropriately labelled or titled annexes or as separate documents). It is also important to adequately explain in the text of the consent what it is actually about and what is its role, and that its expression is independent of other issues raised or regulated in the document.
Consent and accountability
The GDPR places great emphasis on the fact that a controller who processes data on the basis of consent must be able to prove that he or she has actually obtained consent.
A data controller planning to base the processing of personal data on consent should therefore ensure that the consent process is designed in such a way that it can be easily demonstrated that consent has been given (including by whom, when and of what content), e.g. before the Polish Office for the Protection of Personal Data (PUODO).
In the case of written consents, the issue is relatively simple - it is enough to keep the relevant documents. However, it should be ensured that they are properly archived so that, in the event of an audit or a PUODO summons, the controller will be in a position to find the relevant documents quickly and without any problem.
In the case of consents collected electronically or remotely, the issue of being able to demonstrate the granting of consents is somewhat more complicated. In the case of consents collected via the internet, the software used to collect consents should properly archive the information on:
Who gave the consent in question (e.g. a logged-in user with a specific ID, a person with a specific email address indicated for contacts with the controller);
How it can be demonstrated that the consent was given by the person to whom it relates and not by another, unauthorised, person (e.g. one has to log in before giving consent);
When consent was given (for example, through the archiving of relevant logs);
What was the content of the consent given (by archiving the content of the consent in connection with the person giving it and the moment it was given in such a way that, for example, analysis of the logs clearly shows who gave the consent, when and what type of consent was given).
In the case of consents collected during phone calls, a way of demonstrating that consent has been given may be by recording the conversation with the data subject. It is advisable to also record who is giving the consent in question during the conversation.
Particular attention should be paid to the need for adequate archiving of information for the purpose of implementing the principle of accountability when consent to data processing is given not by the data subject himself or herself, but by another person, e.g. when a parent gives consent in relation to a child's data.
Right to withdraw consent - practical implications
The main feature of consent as a ground for processing personal data is that the existence of this ground for processing depends entirely and exclusively on the person who has given consent. The person who has given consent has the right to withdraw it at any time. Importantly, the withdrawal of consent should not entail any negative consequences for the person who gave consent and subsequently withdrew it (e.g. having to reimburse a discount given in connection with consent, or experiencing a significant reduction in the quality of services or a reduction in the scope of services).
The controller should ensure that the person who has given consent can withdraw it at any time and that withdrawal is as easy as giving consent. In practice, this makes it necessary to take into account the issues related to the withdrawal of consent already at the stage of designing processing based on consent. This means, for example, that if a controller plans to collect consent to process data via the internet, he or she should also provide for the possibility to withdraw that consent via the internet. Moreover, the method of withdrawing consent should not require using steps more complicated than those involved in giving consent, and the location, e.g. the button used to withdraw consent, should be as easy to find for the data subject as the button used to give consent.
When designing consent-based processing, the controller should also consider how he or she will verify that consent is withdrawn by the person who gave it (or by a person authorised to act on behalf of the person who gave it). The proper manner of verification should take into account the principle of minimisation of data processing and the abovementioned requirement to organise the process in such a way that withdrawing consent is as easy as giving it. This means, inter alia, that the controller should not, as a general rule, request more data to identify the person withdrawing consent than was previously sufficient for the controller to consider that the person concerned has effectively given his or her consent.
What are the consequences of withdrawing consent for the controller?
Under the GDPR, the withdrawal of consent does not affect the lawfulness of processing that was carried out on the basis of consent prior to its withdrawal. In practice, this means that the processing of personal data carried out by the controller until the withdrawal of consent on the basis of duly given consent remains lawful despite the data subject's withdrawal of consent.
However, the withdrawal of consent means that the controller may no longer process the personal data for the purpose specified in the withdrawn consent. The controller should also, as a general rule, delete the personal data processed on the basis of the withdrawn consent, unless the controller is able to identify another basis for further processing of the data of the person who has withdrawn consent. In practice, in some cases such a basis may be the controller's legitimate interests in defending against claims (GDPR Article 6(1)(f)). However, each instance of retaining personal data of the person who has withdrawn consent should be assessed on a case-by-case basis and using a precautionary approach. Indeed, in most cases, the effective withdrawal of consent by the data subject should result in the deletion of the personal data to which the consent relates.
When designing the processing of personal data based on consent, the data controller should also consider implementing solutions that, in the event of withdrawal of consent in an efficient and possibly automated manner (but with evidence of such actions for accountability purposes):
Delete the relevant data from the controller's files;
Notify processors of personal data on behalf of the controller of the need to delete the relevant data from the processor's files.
Consent for data processing and the specifics of Polish labour law
As indicated above, consent to data processing can rarely constitute a valid basis for the processing of employee data by an employer due to the issue of the “freedom” of consent arising from the imbalance of the parties. However, notably, Polish labour law introduces additional conditions for the processing of personal data of employees or job applicants by the employer on the basis of consent.
In practice, the following provisions of the Labour Code are crucial:
Art.221a § 2 of the Labour Code, which explicitly states that the failure of an employee or job applicant to give consent to the processing of their personal data or the withdrawal of such consent cannot be the basis for unfavourable treatment of an employee or an applicant for employment, and cannot cause any negative consequences for them; in particular, it cannot constitute a reason justifying the refusal of employment, termination of an employment contract or its dissolution without notice by the employer.
Art.221b § 1 of the Labour Code, which provides that the consent of an applicant for employment or an employee may be the basis for the employer's processing of special categories of personal data (e.g. health data) only if the transfer of such personal data is initiated by the employee or applicant for employment. In practice, this provision means that the employer, in order not to expose himself to the charge of infringement, should not ask the employee or job applicant to consent to the processing of special categories of personal data. Indeed, if the employer asks or suggests to the employee to consent to the processing of special categories of data, it may be difficult to argue that the employee provided such data on his or her own initiative (when the initiative to do so came de facto from the employer).
Commentary on art. 7
Conditions for consent
What is consent to the processing of personal data?
Consent for the processing of personal data is one of the bases for data processing. This means that consent is one of the circumstances that, when present, causes the controller to be able to process certain personal data. However, if the data controller identifies another adequate basis for data processing (e.g. the processing of data is necessary for the conclusion of a contract), then the processing of personal data on the basis of consent will be incorrect and, as such, may be considered an action in breach of the provisions of the GDPR. The common belief that taking away consent is always the safest solution is therefore incorrect.
When considering what is the legal basis for data processing, it is useful to answer the questions:
The answers to these questions will help to determine what is the appropriate basis for processing.
What conditions must the consent meet?
In order for consent to process personal data to be considered a valid and effective basis for processing, the consent must be:
If it turns out that the consent to data processing does not meet all these conditions, processing based on such consent would constitute a breach of the GDPR by the processing entity. In addition, in such a case, the mere fact of determining the content and manner of collecting consents in breach of the legal requirements could be considered a breach of the GDPR.
It is advisable that, before starting to process personal data based on consent, the controller thoroughly assesses (and documents this assessment for accountability purposes) whether the content and the manner of data collection as well as the form of the consent request comply with the above conditions.
In addition - due to a number of considerations related to the processing of personal data based on consent (described in more detail below) - it is advisable for a controller planning data processing based on consent to consider in each case whether another adequate basis for data processing can be identified in relation to the intended processing, e.g. data processing in the performance of a contract or data processing based on the so-called legitimate interest of the controller or a third party.
When can consent be considered voluntary?
The key element necessary for consent to be considered valid and capable of forming the basis for data processing is that it is freely given by the data subject; the decision to give consent actually depends solely on the free decision of the data subject and is not, in particular, the result of pressure, fear, deception or even excessive incitement.
The European Data Protection Board's guidelines on consent under the GDPR (hereinafter: 'consent guidelines') (Guidelines 05/2020 on consent under Regulation 2016/679) further clarify that
The GDPR also gives a number of instructions helpful in assessing whether in the case at hand it can be affirmed that the consent has not have been given freely. Recital 42 of the GDPR indicates that:
If, for example, the refusal to give consent to data processing was linked to a significantly lower quality of services provided to the data subject, it would be difficult to consider such consent to have been given freely. Similarly, if the data processing were structured in such a way that the person who gives consent obtains a benefit as a result thereof (e.g. a discount or access to a better quality of services), but at the time of withdrawal of consent must return the obtained benefit (e.g. return the discount or pay extra for certain services), such consent to data processing could be considered invalid under the GDPR.
In turn, Recital 43 of the GDPR, in turn, states that:
Such an imbalance may exist in a variety of circumstances - it is advisable for the controller to consider whether there will be a risk of imbalance between him/her and the persons who are to give consent in a particular case before starting the consent collection process.
In practice, of great importance is the imbalance between the employer and the employee / job applicant, as emphasised in particular by the European Data Protection Supervisor (EDPS) in the consent guidelines:
The EDPS therefore recognises that,
This means that employer's processing of personal data of employees / job applicants based on the consent they have given may only be legitimate in absolutely exceptional cases, and that the employer, when deciding in such cases to process personal data on the basis of consent, should document the rationale behind his/her assessment that relying on consent in such cases does not violate the requirement that the consent be “freely” given.
Furthermore, Recital 43 of the GDPR states that
According to the Consent Guidelines,
The above requirement is closely linked to the requirement of concreteness of consent, which is elaborated below.
Recital 43 of the GDPR further states that:
In practice, in order to assess whether, in a given case, consent to the processing of data is necessary for the performance of a contract or the provision of a service, it is necessary to consider whether, judging objectively, it is impossible to perform the contract or service offered by the controller without prior consent. If, without prior consent and without processing of personal data to the extent and in the manner indicated in the intended consent, it is objectively possible for the controller to perform the offered service or contract, consent to the processing of personal data collected in such circumstances may be deemed invalid.
As an example of a situation where consent is not free, the EDPS points to the following scenario:
However, the above raises the question of what if, without prior consent, it is objectively possible to provide a service, albeit in a slightly different scope or form than the service that would have been provided if consent had been given. The EDPS explains in the Consent Guidelines that:
In the view of the EDPS,
Therefore, it is evident that making the performance of a contract or service conditional on the provision of consent can be very problematic. If a controller plans to do so, he or she should first carefully consider, justify and document the arguments supporting his or her view that, in this particular case, the collection of consent can be deemed not to breach the requirement of freedom, in particular that the offered services are genuinely equivalent.
When can consent be considered to be given for a specific purpose?
In order for consent to be deemed to be given for a specific purpose, the content of the consent should relate to a narrowly defined purpose and the intended processing of the data on the basis of the consent. In other words, the consent should clearly indicate what activities related to personal data, for what purpose (one purpose and not several purposes) and in relation to which categories of data the controller intends to perform.
Importantly, if a controller plans to process personal data on the basis of consent for a number of different purposes he or she should, according to the Consent Guidelines:
As can be seen from the above, in order to mitigate the risk of violating the GDPR and exposing the validity of consent to scrutiny, controllers should when drafting the content of consent pay particular attention to specifying precisely the intended purpose of data processing on the basis of that consent and assess in each case whether the content of consent actually covers only one purpose of processing.
When can consent be considered to be given in an informed manner?
For consent to be informed, it is necessary to inform the data subject in an accessible, comprehensible and readable manner of certain elements that are crucial to making a choice The Consent Guidelines emphasise that “the message should be understandable for the average person, not only for lawyers”, and that “information relevant to making informed decisions on whether or not to give consent may not be hidden in general terms and conditions”.
Regarding the minimum range of information, the Consent Guidelines indicate that
The form and the manner in which the abovementioned information is transferred should be adapted to the categories of recipients targeted to give consent. As the EDPS points out, “for example, where processing is addressed to a child, it should be in such a clear and plain language that the child can easily understand”. In addition, “such information may be provided in various ways, such as in the form of written or oral statements or audio or video messages”.
In addition, it seems advisable for the controller who addresses his/her consent requests to individuals speaking different languages, e.g. living in different EEA countries, to draw them up in these languages.
When can consent be deemed to be given in the form of an unambiguous demonstration of intent by way of a statement or explicit affirmative act?
In order for consent to be deemed given in the form of an unambiguous demonstration of intent by way of a statement or an explicit affirmative act, the manner in which consent is collected must provide that the giving of consent requires some kind of action on the part of the person giving consent. In other words, the consent collection process should not be structured in such a way that the data subject gives his or her consent without performing any additional action (be it by ticking a box and signing a document, ticking a checkbox, clicking on a tile or link on a website, or, if it is a telephone call, clearly stating out loud that he or she is giving consent). The manner in which consent is given should be tailored to the communication channel through which it is collected. The controller should ensure that there is no ambiguity as to whether the data subject has actually performed an act confirming his or her consent.
Recital 32 of the GDPR further indicates that:
The Consent Guidelines further clarify that, in particular, “(...) simply continuing to use the service cannot be considered as an active indication of choice”. Then they indicate that:
When can consent be deemed to authorise the processing of personal data of the person who gives that consent?
In order for consent to be deemed to authorise the processing of personal data of the person who gives that consent, it must be clear from its content that, if consent is given, the controller will process the personal data of the person who gives it, for the purpose and to the extent indicated in the consent. This requirement combines with the requirement of concreteness and informed choice referred to above.
What additional conditions must be met by consent in a written statement?
The GDPR provides additional requirements for consents collected in a written declaration. For example, it is advisable - in order to reduce risks and for the sake of greater transparency and fairness of the processing - that ‘written declaration’ should mean not only a declaration written and signed on paper, but also a written declaration made in electronic form.
According to the GDPR,
In practical terms, it is crucial that the document which covers consent to data processing and other issues be worded in such a way that the consent cannot be considered to be ‘hidden’ or difficult to notice. To this end, use should be made of appropriate graphic solutions (e.g. highlighting by colour or border) and editorial solutions, e.g. highlighting by placing consent within separate sections or separate pages of the document (as appropriately labelled or titled annexes or as separate documents). It is also important to adequately explain in the text of the consent what it is actually about and what is its role, and that its expression is independent of other issues raised or regulated in the document.
Consent and accountability
The GDPR places great emphasis on the fact that a controller who processes data on the basis of consent must be able to prove that he or she has actually obtained consent.
A data controller planning to base the processing of personal data on consent should therefore ensure that the consent process is designed in such a way that it can be easily demonstrated that consent has been given (including by whom, when and of what content), e.g. before the Polish Office for the Protection of Personal Data (PUODO).
In the case of written consents, the issue is relatively simple - it is enough to keep the relevant documents. However, it should be ensured that they are properly archived so that, in the event of an audit or a PUODO summons, the controller will be in a position to find the relevant documents quickly and without any problem.
In the case of consents collected electronically or remotely, the issue of being able to demonstrate the granting of consents is somewhat more complicated. In the case of consents collected via the internet, the software used to collect consents should properly archive the information on:
In the case of consents collected during phone calls, a way of demonstrating that consent has been given may be by recording the conversation with the data subject. It is advisable to also record who is giving the consent in question during the conversation.
Particular attention should be paid to the need for adequate archiving of information for the purpose of implementing the principle of accountability when consent to data processing is given not by the data subject himself or herself, but by another person, e.g. when a parent gives consent in relation to a child's data.
Right to withdraw consent - practical implications
The main feature of consent as a ground for processing personal data is that the existence of this ground for processing depends entirely and exclusively on the person who has given consent. The person who has given consent has the right to withdraw it at any time. Importantly, the withdrawal of consent should not entail any negative consequences for the person who gave consent and subsequently withdrew it (e.g. having to reimburse a discount given in connection with consent, or experiencing a significant reduction in the quality of services or a reduction in the scope of services).
The controller should ensure that the person who has given consent can withdraw it at any time and that withdrawal is as easy as giving consent. In practice, this makes it necessary to take into account the issues related to the withdrawal of consent already at the stage of designing processing based on consent. This means, for example, that if a controller plans to collect consent to process data via the internet, he or she should also provide for the possibility to withdraw that consent via the internet. Moreover, the method of withdrawing consent should not require using steps more complicated than those involved in giving consent, and the location, e.g. the button used to withdraw consent, should be as easy to find for the data subject as the button used to give consent.
When designing consent-based processing, the controller should also consider how he or she will verify that consent is withdrawn by the person who gave it (or by a person authorised to act on behalf of the person who gave it). The proper manner of verification should take into account the principle of minimisation of data processing and the abovementioned requirement to organise the process in such a way that withdrawing consent is as easy as giving it. This means, inter alia, that the controller should not, as a general rule, request more data to identify the person withdrawing consent than was previously sufficient for the controller to consider that the person concerned has effectively given his or her consent.
What are the consequences of withdrawing consent for the controller?
Under the GDPR, the withdrawal of consent does not affect the lawfulness of processing that was carried out on the basis of consent prior to its withdrawal. In practice, this means that the processing of personal data carried out by the controller until the withdrawal of consent on the basis of duly given consent remains lawful despite the data subject's withdrawal of consent.
However, the withdrawal of consent means that the controller may no longer process the personal data for the purpose specified in the withdrawn consent. The controller should also, as a general rule, delete the personal data processed on the basis of the withdrawn consent, unless the controller is able to identify another basis for further processing of the data of the person who has withdrawn consent. In practice, in some cases such a basis may be the controller's legitimate interests in defending against claims (GDPR Article 6(1)(f)). However, each instance of retaining personal data of the person who has withdrawn consent should be assessed on a case-by-case basis and using a precautionary approach. Indeed, in most cases, the effective withdrawal of consent by the data subject should result in the deletion of the personal data to which the consent relates.
When designing the processing of personal data based on consent, the data controller should also consider implementing solutions that, in the event of withdrawal of consent in an efficient and possibly automated manner (but with evidence of such actions for accountability purposes):
Consent for data processing and the specifics of Polish labour law
As indicated above, consent to data processing can rarely constitute a valid basis for the processing of employee data by an employer due to the issue of the “freedom” of consent arising from the imbalance of the parties. However, notably, Polish labour law introduces additional conditions for the processing of personal data of employees or job applicants by the employer on the basis of consent.
In practice, the following provisions of the Labour Code are crucial: