In March 2016, the Duesseldorfer Kreis, an association of the German data protection authorities, issued guidance on obtaining consent from data subjects ("Guidance"). The Guidance provides helpful instructions and recommendations for drafting consent forms when obtaining consent in written or electronic form and is available here (in German language). Businesses subject to German data protection law would be well advised to review and revise their consent forms in light of the Guidance.
In many cases the collection, processing and/or use of personal data is only lawful if the data subject has validly consented to the respective activities. In practice, data subjects are frequently asked to provide such consents by signing standard forms drafted by the data controller. The Guidance notes that these consent forms often do not comply with applicable legal requirements.
Content of the Guidance
According to the Guidance:
- A valid consent requires clear and unambiguous wording, so that data subjects understand that they are consenting to certain data processing activities. For example, the words "I acknowledge that…" do not suffice. Rather, wording such as "I consent to…" or "I agree that…" is required.
- The consent wording must inform data subjects in a transparent and easy-to-understand manner about the relevant data processing activities.
- Generally, opt-in is required, pre-ticked boxes or other opt-outs are not sufficient.
- The consent wording – if embedded in a broader contractual declaration – should generally be placed directly above the signature line. The signature will then relate to the main contractual declaration as well as the consent. Only in certain cases (e.g., where health data is collected), a valid consent might require a separate signature .
- The consent wording must be clearly recognisable as such. It must not be mixed with general information on data processing without being separated out and prominently featured (e.g., by bold or different coloured text).
- The consent wording should inform the data subject that he/she is entitled to withdraw his/her consent.
Non-compliance with these requirements may result in consent being invalid.
The Guidance is very helpful in order to better understand the German data protection authorities' interpretation of the requirements for obtaining valid consent which requirements are not always clear and straightforward. However, in some respects the Guidance appears to be slightly stricter than German case law on point (e.g., in that the Guidance requires opt-in whereas two decisions of Germany's Federal Supreme Court (form 2008 and 2009) suggest that an opt-out consent may be sufficient). But in an informal discussion with one of the German data protection authorities, the respective official stated that in exceptional cases (e.g., in case of the two decisions of the Federal Supreme Court), an opt-out solution may still be sufficient and that the Guidance is not intended to contradict the decisions of the Federal Supreme Court.
To dos for companies
Businesses subject to German data protection law would be well advised to review and revise their consent forms in light of the Guidance. While the requirements as set out in the Guidance might in some instances be slightly stricter than the otherwise prevailing German case law, they largely reflect the requirements that will come in under the EU General Data Protection Regulation ("GDPR"). As businesses will need to comply with those incoming rules as of mid-2018, updating consent forms sooner rather than later in line with the Guidance and with an eye on the incoming European rules will be smart and efficient from a compliance point of view - also keeping in mind that under the GDPR, non-compliance with consent requirements will be subject to maximum fines.