GDPR: how to process data under the consent legal basis

The General Data Protection Regulation (GDPR) is a privacy law that protects the personal data of residents of the European Union. GDPR achieves this goal by providing privacy rights to individuals, requiring certain websites to have a compliant Privacy Policy, and imposing heavy fines for failure to comply. 

Perhaps one of the more interesting restrictions that GDPR places on websites is that the law, by default, prohibits the collection, use, and disclosure of personal data. The only way to lawfully process personal data under GDPR, if this law applies to you, is via an exception, otherwise known as the legal bases for processing data. In this article, we will discuss how to process data under the consent legal basis, as it is the most commonly used exception by business websites. 

How does GDPR define consent?

GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.” As you can see, this definition has quite a few elements and each element must be properly met for consent to be a valid legal basis under GDPR. Below is a description of each of these elements and how websites and business owners who collect personal data can meet them. 

Freely given

For consent to be valid, the individual must have a real choice as to whether or not to allow the processing of their personal data. The following are a few examples of circumstances where individuals are not provided with a free choice: 

  • Individual feels compelled to consent; 
  • Individual will endure negative consequences if they do not consent; 
  • Consent is bundled up as a non-negotiable part of Terms of Service; 
  • Individuals are unable to withdraw consent without detriment. 

 GDPR also prohibits the bundling of consent with Terms of Service, a contract or the provision of a particular service, where consent is not necessary to perform that contract or service. For example, you cannot force an individual to consent to the use of their email for promotional emails by making it a requirement for purchasing a new computer. While GDPR does provide for the performance of a contract as a legal basis for processing data, consent and contracts cannot be bundled together – you must pick one or the other as your legal basis. 

To be freely given, consent has to be granula, meaning that you should obtain consent for each purpose that you will use the personal data for. You should make a list of the purposes that you will be using data for, separate those purposes and obtain consent for each purpose. 

Specific

Since the individual agrees to each purpose that their data will be processed for, such purposes must be specific for consent to be a valid legal basis under GDPR. You should specifically define each purpose for which you will use data. Consent must be specific so that there is no “scope creep”, or gradual widening of how data is used after the initial consent is obtained. If you determine that you need to use the data for a new purpose, you must obtain consent for the new purpose prior to using the data in a new way. 

Informed

For consent to be valid, the individual must know what he or she is consenting to. This means that you must have a Privacy Policy that is available for individuals to read prior to collecting their data. While GDPR has extensive requirements as to what a Privacy Policy must include, it does need to make the following minimum disclosures for consent to be informed: 

  • Your identity; 
  • The purpose of each of the processing operations for which consent is being sought; 
  • What data will be collected and used; 
  • The fact that the individual can withdraw consent at any time; 
  • Information about the use of data for automated decision-making; and 
  • Information on the possible risks of data transfers to countries without an adequacy decision and of appropriate safeguards. 

It is important to note that your Privacy Policy should include the disclosures above, be clear and easily understandable and be clearly available to everyone visiting your website. 

Unambiguous indication of wishes

GDPR states that the consent legal basis must be based on an unambiguous indication of the wishes of the individual for his or her personal data being processed. This indication must take place via the means of a statement or by clear affirmative action. This means that you must be able to show that the individual actually agreed and silence, pre-ticked boxes, and inactivity are insufficient to show consent. While checking a box is a valid way to gain consent, under no circumstances should you pre-tick a box as there is no way to show that the individual actually agreed when using this practice. 

While obtaining proper consent can seem complicated, you should pay attention to ensuring that individuals have all of the information needed and that you can show that they actually agreed to you collecting and using their personal data. Your Privacy Policy must also disclose the fact that you are processing data under the legal basis of consent or you could face major fines. Use Termageddon’s Privacy Policy generator to help create your GDPR ready Privacy Policy. 

Categories GDPR