In order to process personal data for your business you need to have a legal basis to do so and obtaining a person’s consent is one legal basis. If in your business you rely on consent to process data then you should now take the opportunity to review how you obtain that consent and how the consent is recorded to ensure that it complies with the standards required by the GDPR. Below we have set out what is required to ensure that you have an effective “consent” provision in your business terms.
Article 4(11) GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
“freely given” – a data subject cannot be forced to consent and they must be aware that they are consenting. The conditions of a contract (including the provision of a service) should not be conditional on consenting to the processing of personal data, if that is not necessary for the performance of that contract.
“specific” – consent must be specific to each form of processing that will be carried out.
“informed” – the data subject should be aware of the identity of the controller and the intended purposes of the processing. They must be informed of their right to withdraw consent at any time prior to giving consent.
“unambiguous” – the way the consent is collected should leave no room for doubt about the data subject’s intentions in providing their agreement to their personal data being processed.
“statement or clear affirmative action” – requires affirmative action by a data subject and cannot be implied by the data subject by way of silence, pre-ticked boxes or inaction. It is possible to obtain oral consent, however, this will need to be documented so that the business can demonstrate that consent was obtained.
As set out above, consent is only one of the legal bases to process data and you may wish to consider if in your business it is more appropriate to rely on one of the other bases, such as the performance of a contract, a legal obligation or legitimate interests.