This series of articles aims to provide you with a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the new Swiss Data Protection Act (DPA). This week’s article discusses requirements relating to the consent of a data subject.

What is consent?

The consent of a data subject is one of the legal grounds required for the lawful processing of personal data under the GDPR and the DPA.

Although consent is not always the most desirable legal ground (as, for example, it can be withdrawn at any time), it is sometimes the only legal ground that can be used for a processing activity.

Consent requirements under the GDPR

Under the GDPR, consent has to be freely given (i.e. not coerced), specific (i.e. for one or more specified purposes), informed (i.e. regarding scope and consequences) and unambiguous. Consent has to be active and may not rely on silence, inactivity or pre-ticked boxes: it requires either a statement or clear affirmative action from the data subject.

A request for consent must be:

  • Presented in an intelligible and easily accessible form.
  • In clear, plain language.
  • Clearly distinguished from other content (e.g. the consent wording may not be bundled with other content or ‘hidden’ in general terms and conditions/a privacy policy).

In addition, before giving consent, a data subject must be informed that they may withdraw their consent at any time (as easily as they have given consent).

The burden of proof that valid consent has been given by a data subject lies with the controller. Consequently, it is essential that controllers document all consents obtained from data subjects.

Consent may not be relied upon where there is a clear imbalance between the data subject and the controller – which may be the case if the controller is a public authority or an employer asking consent from employees.

Added to that, consent is not usually considered legally valid if the fulfilment of a contract is dependent on that consent – when in fact consent is not necessary for such fulfilment.

Finally, the GDPR requires parental consent for the processing of personal data for children up to the age of 16. Member states may opt for a lower age, with 13 being the minimum. If a child’s consent is involved, reasonable efforts must be made by the controller to check that such consent has been given or authorised by a parent.

Consent requirements under the DPA

As under the GDPR, the DPA states that consent is only valid if it has been given freely and unambiguously, for one or several specific processing activities, and after adequate information has been provided.

However, unlike the GDPR, consent only has to be explicit with respect to the processing of sensitive data and cross-border data transfers, as well as profiling.

The DPA does not include any specific requirements regarding how consent must be requested or the necessity to state that consent may be withdrawn at any time. It also does not cover burden of proof or parental consent.

Comply with the highest consent standards

The safest approach is to comply with the highest standards of both the GDPR and the DPA.

Organisations should:

  • Ensure that consent is explicitly given by the data subject, by way of a clear affirmative action (e.g. ticking a box), especially when dealing with sensitive data, cross-border data transfers, and profiling.
  • Ensure that consent forms:
    • Are presented in an intelligible and easily accessible form.
    • Use clear, plain language.
    • Clearly distinguish the request for consent from other content.
    • Refer to the data subject’s right to withdraw their consent.
    • Contain a link to their privacy policy or statement.
  • Document all consents (as well as any withdrawals of consent).
  • Comply with parental consent requirements if they are processing data for children.
  • Check whether their privacy policy is suitable or needs to be updated.