The European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018, governs how companies and organizations must protect EU citizens’ personal data, including the use of consent. The European Data Protection Board (EDPB), the EU decision making body charged with ensuring a consistent application of the GDPR, has released The Article 29 Working Party Guidelines on Consent, which contains guidance on the GDPR consent requirements.
Under the GDPR, consent is one of the lawful bases to access and process personal data. The GDPR defines consent in Article 4(11) as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The Article 29 Working Party Guidelines on Consent explains the elements of consent and provides guidance to data controllers as to how to fulfill the new requirements for consent established by the GDPR. Additionally, the Guidelines provide direction for obtaining explicit consent in situations in which serious data protection risks may occur, as well as specific information for consent matters involving children.
TIP: As the GDPR is now in effect, companies should monitor and review any guidance issued by the EU relating to the application and enforcement of GDPR provisions.