The "Guide on the Application of the European Personal Data Protection Regulation" published by the Italian DPA states, in the "Recommendations" at the foot of the consensus form, that:
"The consent obtained before May 25, 2018 remains valid if it has all of the above characteristics. Otherwise, it is appropriate to work before that date to recollect the consent of the data subjects, in accordance with regulation, in order to continue to use this legal basis.
In particular, it must be verified that the request for consent is clearly distinguishable from other requests or declarations addressed to the data subjects (art. 7.2), for example within the set of forms. Pay close attention to the formula used to request consent: it must be comprehensible, simple, clear (art. 7.2). Public entities should not, as a rule, ask for consent for the processing of personal data (see recital 43, art. 9, other provisions of the Code: art. 18, 20). ".
The Italian DPA therefore essentially states that the consent obtained before the date of effectiveness of the GDPR continues to constitute a valid legal basis for the treatment, provided it has been collected in such a way as to be "explicit" (when it comes to collecting sensitive data and decisions based on automated processing), "free, specific, informed" and "manifested through unambiguous declaration or action" (if referred to ordinary data).
The Italian DPA, even though considering among the recalled "features identified above" that the consent must be "free, specific, informed", does not clarify whether this last requirement must be regarded as satisfied by providing a privacy notice complying with the Privacy Code’s requirements, being therefore not necessary to comply with the GDPR’s requirements, which - as is well-known - involves some new and different contents (and in substance more numerous and articulated) than those required by the current Italian legislation.
So, assuming that the "old" consensus has been collected according to a modality that guaranties its freedom, specificity, unambiguity and - if appropriate - its "explicit" being, in order to evaluate its continuing validity from May 25, 2018 the following question arises: does the consent properly collected according to the Privacy Code can also be considered valid under the GDPR regime and therefore constitute the appropriate legal basis for the treatment without need for collect a new one?
The above mentioned point is important, but I think the basic theme should be another, namely: with a view to the continuation of data processing already in progress on the date of entry into force of the GDPR, is the privacy notice already provided in compliance with the Privacy Code sufficient to establish a data subject’s awareness, regarding the processing of its personal data, adequate in relation to the GDPR’s requirements?
In case of a positive response, the "informed" consent under the Privacy Code would continue to be such under the GDPR and therefore it would not be necessary to collect it once again.
Personally, given the significant difference between the "old" privacy notice and the one prescribed by the GDPR, it seems difficult to predict the tout-court continuation of the ongoing data processing due to a presumption of equality of the two privacy notices.
In fact, it should be considered that the processing beginning under GDPR would necessarily reflect the new rules.
Consequently, it may occur that data processing coexist having the same characteristics as to the purpose, methods, type of data subjects and data processed, being based on the same legal basis - consent - but on different assumptions (the "old" and the "new” privacy notices).
This would involve an inequality that is hardly justifiable, both from the point of view of the data subjects who have consented to their data’s processing beforethe GDPR (the consent provided under GDPR assumes the knowledge of more and more detailed information, some of which are referred to art. 13, par. 2 of the GDPR as "necessary to ensure correct and transparent treatment": e.g. those regarding the logic and the consequences of profiling or the duration of data retention), and from the point of view of the data controllers who start collecting the data post GDPR (who will have to provide a much more analytical and complex picture of the processing).
Probably, a balanced solution might take into account that ”old” data controllers – who intend to continue the processing of data relating to data subjects whose consent they have (legitimately) obtained before the GDPR – implement some actions: provide a supplement of information with the "new" contents required by GDPR aimed to ensure full transparency (art. 5, par. 1, lett. a) GDPR), offering at the same time to data subjects the possibility to withdraw the originally provided consent and of course specifying the possible consequences of such withdrawal.
Below, in the table, a schematic representation of situations that can be created.
Click here to view table.
A similar logic should be followed when the current data processing - that the Data Controller intends to continue under the GDPR regime - is based on a legal basis other than consent: it is clear that made explicit this legal basis (compulsory ex artt. 13, co. 1, lett. c) and 14, co. 1, lett. c) GDPR), especially as it is accompanied by other new privacy notice contents, leads to a deeper awareness of the data subject - who in that cases is not required to choose, acting to to give his/her consent - about his personal data and, consequently, his rights, including those codified in GDPR, in accordance with the principle of transparency.
To conclude, I recall that in the GDPR approach the processing choices are left to the data controller's accountability: even in the absence of specific guidelines or, in any case, of specific supports prepared by the DPAs or other bodies appointed to it, the data controllers are therefore required to operate according to their own assessments, in the light of the balance between their own rights and the protection of the personal data of the natural persons and in accordance with the principle of transparency.
In this context, the Data Controller assumes responsibility for the choices made and is able to demonstrate the path (decision-making, organizational, technical) designed and implemented.
This applies to decisions concerning the above-mentioned processing circumstances, as well as - with reference to a related subject - to the assessment of the "impossibility" or "disproportionate effort" which, pursuant to art. 14, par. 5, lett. b) entitles the data controller not to provide any information to the person concerned whose data has collected through third parties.