The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.
Question: Are companies always required to get opt-in consent from people before using their data?
Answer: No. It is a common misconception that the GDPR always requires that a company obtain the express consent, or “opt-in,” of a person before collecting or using their data. To the contrary, the GDPR anticipates that a company may process personal data so long as any one of six situations applies:1
- Consent. While companies are not always required to get a data subject’s opt-in consent, if a company obtains a data subject’s consent it generally is sufficient to allow the company to process the person’s data. The one exception to this is data collected in the employment context. The Working Party, the organization charged with interpreting the GDPR, has echoed concerns raised by many of the data protection authorities in the member states that the imbalance in negotiating leverage between an employer and an employee may cause “consent” of an employee to be ineffective. As a result, most employers do not base their processing on the consent of their employees.
- Necessary to perform a contract. If a company collects personal information about a person as part of performing a contract with that person, the company does not have to separately ask for consent. For example, if an individual visits an ecommerce site and orders merchandise to be shipped to their house, the website is not required to ask the consumer for their consent to collect shipping information, transfer that information to a shipping company, or use that information to process an order.
- Necessary to comply with a legal obligation. If a company processes information about a person in order to comply with a legal obligation that is imposed upon the company, it need not ask the person for their consent to process the information. So, for example, if a bank is required to report suspicious financial transactions to government agencies charged with identifying money laundering, the bank does not have to ask its customers for their consent to collect, process, or transmit that information
- Necessary to protect vital interests of a natural person. If a company processes information in order to protect the “vital interests” of a person, it need not ask the person for their consent. So, for example, if a company collects the name of someone who has suffered an accident on their premises (g., has become unconscious due to an injury, and the company finds their name in a wallet) it is not required to obtain the person’s consent.
- Processing is necessary for the performance of a task carried out in the public interest. If the purpose of processing information is to perform a task that is in the “public interest,” a company need not ask a person for their consent.
- Processing is necessary for a legitimate interest pursued by a controller. If the purpose of processing is to further a legitimate interest of a data controller (such as to conduct direct marketing), the controller is required to ensure that its interests are not “overridden” by the interest of “fundamental rights and freedoms of the data subject.” Assuming that is the case, a company need not ask the person for their consent.