Consent to the processing of personal data under the General Data Protection Regulation (GDPR) is based on instructions and conditions.
In 2016, the European Union passed the General Data Protection Regulation 679/2016. It is also known as GDPR and came into force in May 2018. Its application aims to ensure any natural person controls the processing of its personal data by companies, public-private sectors, and organizations.
According to EU data protection rules, processing must be done in an appropriately and lawfully manner, for a specific and legitimate purpose and to cover only the data necessary to achieve that purpose. Consent is required to process personal data.
Consent is any indication of free will, specific, explicit and fully aware. By this, the data subject expresses that he agrees, with a statement or with clear positive action, that its personal data will be processed.
The GDPR sets strict rules for consent-based data processing. The purpose of these rules is to ensure that the data subject understands what he or she has actually given his or her consent. This means that consent must be given freely and specifically. Her statement must be worded in plain and understandable language. Consent must be given by affirmative action, e.g. by selecting a box on a web page or by signing a statement.
Once consent has been given to the processing of personal data, the data may be processed only for the purposes for which the consent was given. The data subject must also be given the opportunity to withdraw his or her consent.
“Consent must be obtained freely from the natural person and explicitly. The Controller must also be able to prove that it was received. ”
Request for Consent
The request for consent must specify the use that will be made of the personal data and includes the contact details of the company that processes the data. Consent must be given freely, be specific, aware, and unquestionable. The term “aware” means that the individual must have been informed of the processing of personal data, as well as of the following:
- The identity of the organization that processes the data
- The purposes for which the data are processed
- The type of data to be processed
- The possibility of revoking the consent (eg by sending an email to revoke the consent)
- Where necessary, the fact that the data will only be used for automated decision making. This includes profiling
- Whether the consent relates to the international transmission of your data. Also, the potential risks of data transfer to non-EU countries in two cases. In the first phase if there is no Commission decision on adequacy for these countries. In the second phase if no appropriate guarantees are provided.
Conditions of Consent
In assessing whether consent is freely given, the account shall be taken in particular of whether consent to the processing of personal data is a condition for the acceptance of terms or conditions for the performance of a contract or the provision of services.
If it is set as a condition, then it is not given freely. The burden of proof on whether the consent has been given freely rests with the Controller. Consent can not be considered freely given when there is a clear disparity between the data subject and the Controller, especially in cases where the Responsible is a public authority or employer and it is almost unlikely that consent has been given freely. In such cases, another legal basis for processing should be applied.
Also, if multiple purposes/processing is being processed, consent must be provided for each purpose/processing, and if consent is given with a written statement of other matters, the request for consent must be clearly distinguishable from the other matters, in an understandable and easily accessible form.
The data subject can revoke consent at any time. The processing operations carried out before the revocation are not affected. In addition, if there is no legal basis to justify the continuation of the processing (eg further storage of the data), the data must be deleted or anonymized by the Controller. Revocation should be as easy as the provision of consent. The revocation possibility must be informed before obtaining consent. If, after revoking the consent, the Controller wishes to continue the processing with another legal basis, he must explicitly state this to the data subject in accordance with Article 13 and Article 14 of the GDPR.
Consent can be obtained during a purchase, an information campaign, an advertising campaign, while browsing a website, etc. Due to the above, we have designed a consent management system called Consent Me. The purpose of this project is to develop an integrated consent management system. This will allow the Controller to prove the obtaining of consent. Also its correlation with corresponding ones concerning other actions. Also, the Controller will be able to manage the same person’s consent from different channels. Finally, the natural person will be able to search and process his personal data at any time.