This update aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses the requirements relating to consent and transparency.

Consent

As under the Directive, the consent of a data subject remains one of the legal grounds for the processing of personal data under the GDPR, to the extent that such consent is ‘freely given, specific, informed and unambiguous’. The GDPR provides for (additional) specific requirements relating to (i) the way in which consent must be requested, and (ii) how consent should be given by a data subject, in order to be a valid basis for the processing of personal data.

The GDPR requires that, where consent is requested by means of a written declaration by a data subject, the request for consent:

  • be presented in an intelligible and easily accessible form;
  • use clear and plain language; and
  • be clearly distinguished from other matters in such declaration.

Furthermore, prior to giving consent, a data subject must be informed of the fact that he/she may withdraw his/her given consent at any time (with the same ease as with which consent was given in the first place).

The burden of proof that consent is validly given by a data subject lies with the data controller. Consequently, it is very important to document the consents obtained from data subjects.

Whereas the Directive allows reliance on implicit consent of the data subject, the GDPR requires ‘a statement or clear affirmative action’ from the data subject for the consent to be valid.

Click here to view the image.

Parental consent required for the processing of children’s personal data 

The GDPR requires parental consent for the processing of personal data of children up to 16 years old. Member States may opt for a lower age. However, this age cannot be lower than 13 years. Reasonable measures must be taken in order to be able to verify and document that – where required – consent is given or authorized by the parent of a child.

Transparency: the obligation to inform the data subject

Transparency remains a key principle under the GDPR. It requires that a data subject be sufficiently informed to ensure a fair and transparent data processing. The information must be provided to the data subject in a ‘concise, transparent, intelligible and easily accessible form’.

Whereas the Directive provides for a general obligation of transparency, the GDPR is more explicit and provides for an extensive list of topics on which data subjects must be informed, including (amongst others):

  • contact details of the controller and its data protection officer;
  • the purposes of and the legal basis for the processing;
  • the recipients of the data;
  • the transfer of the data to a third country and the legal basis and safeguards for such transfer;
  • the applicable retention period;
  • the data subjects’ rights;
  • the existence of automated decision-making;
  • whether the data subject is obliged to provide (certain of) the requested personal data and the possible consequences of failure to provide said data.

In our experience, these are topics that are currently generally (already) included in a privacy policy or statement.

What do these changes mean for your organisation and how can you prepare for them?

  • Ensure that your consent forms:

    • are presented in an intelligible and easily accessible form;
    • use clear and plain language;
    • clearly distinguish the request for consent from other matters;
    • refer to the data subject’s right to withdraw his/her consent;
    • contains a link to your privacy policy or statement, which includes all required information.
  • Document all consents (as well as any withdrawal of consent);
  • Ensure that consent is given by a clear affirmative action of the data subject;
  • If a child’s consent is involved, ensure that ‘reasonable efforts’ are made in order to verify that such consent is given or authorised by a parent;
  • Verify whether your privacy policy or statement needs to be updated.