Consent under data protection law has historically been seen as a 'go-to' lawful basis by controllers seeking to legitimise their processing of personal data, whether as the only lawful basis relied on, or as a back-up in case other grounds fail.
The concept of consent is retained under the GDPR, however, its scope has changed. In particular, enhanced preconditions for demonstrating a valid consent for processing, combined with certain rights being engaged by a reliance on consent, means data controllers need to carefully consider whether consent is really the most appropriate lawful basis. This is all the more important because under the GDPR, businesses have to identify a single lawful ground for each processing operation. The possibility of using consent as a catch-all ceases to exist.
Before we look at some examples demonstrating this point, it's worth revisiting the definition of consent in the GDPR which is:
"Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
Bearing that definition in mind, the following scenarios explore the use of consent as a lawful ground for processing and how this may not be as straightforward as it first appears.
Scenario 1 – a business and its employees
Widget Retail is an international business with a workforce of 500 employees. It collects and processes the personal data of its employees for a range of different purposes including administering the employment relationship, paying salaries, deducting tax contributions, training, development, monitoring and dealing with disciplinary matters.
Widget Retail has historically collected a broad consent to the collection and use of employee data. As part of its GDPR compliance project, Widget Retail is considering its contracts and its reliance on consent as a lawful basis for these processing operations.
It's clear just from reading the first three words of the definition of GDPR consent, that Widget Retail is going to have a problem if it continues to rely on consent as a lawful basis for employee data processing. In particular:
- Consent needs to be freely given, meaning that there must be real choice and control on the part of an individual in relation to the processing of their data. This includes being able to withdraw a given consent without detriment at any time in relation to specific processing.
- The GDPR recognises that certain relationships do not lend themselves to free choice and control. Recital 43 explains consent cannot be freely given and will not provide a valid legal ground for processing where there is a clear power imbalance between the data subject and the controller. The Article 29 Working Party (WP29) draft guidance on consent highlights an employer/employee relationship as a situation where an imbalance is likely, saying "the WP29 deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees".
In practice, employees may feel under pressure to consent to Widget Retail's processing notices in the employment contract, particularly if they don't want to look like troublemakers, so any consent will not be freely given.
Widget Retail may, however, be able to rely on employee consent in certain, limited situations, for example, the processing of employee data in the context of a voluntary scheme or benefit arrangement where the employees are entirely free to choose whether or not to participate.
Other points to consider include:
- Widget Retail has sought to bundle a broad range of uses of employee data under the employment contract. While it may be appropriate under a contract to provide for processing of salary information and bank account details to pay employees, the wider range of employee processing operations may not all be directly necessary for the purpose of fulfilling the employment contract.
- Widget Retail had also conflated many different purposes for processing each employee's data under a single consent. Notwithstanding that consent is in any event not relevant to this proposed processing, in those cases where a consent is genuinely appropriate, it must be specific, meaning a data subject's consent, where given, should be for an individual purpose and not bundled.
Widget Retail needs to:
- Look at each of the purposes for which it processes employee personal data and establish and document the lawful grounds under the GDPR relevant to each. For example, this will likely cover the grounds of contract performance for employee salary payments, legitimate interest for processing connected with monitoring performance and discipline or in the case of processing driven by employment law requirements, the basis that it is necessary for compliance with a legal obligation to which Widget Retail is subject.
- Replace the existing contractual notice on employee processing In place of the existing contractual notice, Widget Retail needs to provide extended employee notices alongside or as part of its employment contract. This should cover full information to employees about each purpose for which personal data is processed, and the legal basis relied upon for each. This is also required under the wider and separate obligation on Widget Retail to be transparent and communicate information about its processing operations to its employees.
- Review and, where necessary, refresh existing consents In any exceptional cases where consent may still be relevant, Widget Retail should review and update consent notices to ensure that each of the required elements of consent are present (i.e. that it is freely given, specific, informed and an unambiguous indication of the subjects wishes). It must also ensure that employees are given information about their rights, including the right to withdraw consent and how to do that. It should also consider whether any existing collected consents need to be refreshed.
Scenario 2 – a business and its customers
Widget Retail also has terms with its customers where it explains that personal data will be processed for the purpose of conducting credit checks and for credit reporting purposes, to manage the customer's account and to send customers their offers and those offers of another company in the Widget Retail group by email.
Again, Widget Retail will fail with this approach to collect a valid consent under the GDPR for these different processing purposes:
- As before, lawful grounds for processing must be specific to particular processing operations; 'omnibus' consents will lack the necessary granularity.
- Consent will not be relevant across the range of different purposes where alternative (and frankly more straightforward) grounds may be available. Consent should only be relied upon where appropriate. If the processing would still need to happen without the customer's consent, then asking for consent could create false expectations on the part of customers and may also be misleading.
- Consent is not freely given where the performance of the Widget Retail terms are conditional on consenting to the use of data for marketing purposes which are not necessary to carry out those terms.
- Widget Retail's marketing covers different purposes, its own marketing and marketing by the other Widget Retail group company. Separate consents should be sought as required for each purpose for processing.
- Where consent is required for Widget Retail's marketing that consent must be informed. This extends to include the broader information Widget is required to provide to its customers to ensure its processing operations are accessible, transparent and communicated in clear and plain language.
Following the review, Widget Retail should now:
- Identify all the different purposes for which it processes personal data of customers and establish and document the correct lawful ground relevant to each purpose. For example, legitimate interests in the context of credit checks and reporting, performance of the contract in relation to customer service delivery or invoicing and consent in relation to marketing.
- Take the marketing consent out of the customer terms and seek consent for marketing at the point the customer submits their online application for a Widget Retail account.
- Split consents Consents covering Widget Retail's own and the other group company's email marketing should be split into separate opt-in check boxes so that customers can unambiguously indicate whether they wish to receive such marketing in either case.
- Give information about the right to withdraw consent Provide clear information for customers on their right to withdraw their consent, as well as information about the mechanism available to do this easily, alongside marketing consents.
- Revisit existing consents Establish whether fresh customer consent must be collected from existing customers and put processes in place to do this lawfully. If that cannot be achieved, then a different lawful basis must be used to legitimise the processing for the relevant purpose. If that is not possible, the data may no longer be used for that purpose and may need to be deleted.