The New European General Data Protection Regulation: Consent To Data Processing

Author: María Bardají & Sascha Villoro

With today’s blog post we want to start a series of articles pertaining to the Regulation (EU) 2016/679 or General Data Protection Regulation (GDRP).

While the GDRP entered into force on 25th May 2016, it shall apply from 25th May 2018.

So is it in force or not? Will it replace the LOPD (Spanish Data Protection Act)? Yes and no: the Regulation is fully in force, but companies do not have to fully observe it until 25.05.18. In the meantime, the Spanish Data Protection Act will still apply. Member States are allowed to pass their own laws, specifying certain matters, which the Regulation expressly reserves for such purpose. 

In spite of the fact that the GDPR is still not yet applicable, the Data Protection Authorities have instructed companies to start adapting their protocols, systems and processes, since they will not be- for sure- fully compliant if they wait until May next year. 

If you want to know what your company should do before the final date of 25th May 2018, stay tuned to this blog or send us an email: we are preparing further informational activities. 

We will start this series with the CONSENT TO DATA PROCESSING.

Article 4.11 GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”(1).

While, also in accordance with the Spanish Data Protection Act, tacit (or implied) consent (you did not say No, so we will take it as a Yes) is accepted, the EU has decided to take the stricter path and exclude tacit consent: silence or inaction by the data subject does not constitute a valid consent anymore.

When the data in question refers to sensitive matters (such as health, biometric data, political opinions, etc.), consent must also be explicit. In those cases, consent may not even be inferred.

We can clearly see now that the EU Parliament intentionally separates explicit consent from regular consent, which may be expressed in different ways.

We must note, however, that while Article 4.11 GDPR mentions both “a statement or a clear affirmative action”, Recital 32 GDRP states only that “Consent should be given by a clear affirmative act”, and then goes on to list a set of examples, such as: “a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

While tacit consent may have been ruled out, inferred consent (a clear affirmative action) will still be valid. But here’s the question: what does and what does not constitute a “clear” affirmative action, which shows that the subject wants to give consent to the processing of his or her personal data? After all, your company will bear the burden of proof:  it is the company, which processes personal data, the one that must keep records of consent, which must be verifiable at any given time, such as during an inspection ( Principle  of Accountability).

Inferred consent may be stated in many ways: when you enter your personal information in an online petition, when you give your cellphone so a store clerk can let you know when an item is back in stock, etc. Rule of thumb: the subject should be “active” when giving his or her consent.

However, when in doubt, our advice is as follows: start requesting express consent from your clients, users, etc. This, by the way, is in line with the Spanish Information Society Services Act, which, as far as we know, will remain in force: a pre-ticked box does not allow you to send marketing emails, SMS or MMS.

Finally, please bear in mind that consents collected prior to the date of applicability of the GDPR will have to comply with it, so all of them that were given tacitly will not be valid anymore.