The question of how to validly obtain consent under the GDPR generates a lot of discussion, even though the problem is quiet often simple to address. In this practical guide, we will look at how to obtain a legally valid consent under the GDPR and how to comply with all the conditions imposed by the regulation.
It is important to ensure that this process is properly followed, because in case of default, national control authorities can request the deletion of all data that has not been validly collected. It has already done so in two major cases in which the CNIL for example ordered the deletion of 14 million, then 60 million prospect data! This can have drastic consequences on a business’s marketing and sales.
Given the damage this can cause to a company, ensuring the validity of this process is a mandatory compliance point in terms of GDPR.
Note that if you are using Legiscope you can perform an automated audit of your web forms, which allows you to know if you are compliant or not in a few clicks, all thanks to AI !
The first mistake to avoid, and the first element to understand is that consent should only be requested in certain cases. We will see some examples before looking at the legal text.
Traditionally, consent is requested for marketing processes such as:
However, consent should never be requested in the following cases:
From a legal point of view, consent is an obligation that drives from Article 6 of the GDPR - and which requires the data controller (generally, the person collecting the data) - to have a legal basis.
In summary, to legally collect data relating to individuals (email, name, first name), we must ensure that we are in at least one of the following 6 cases:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In practice, we can determine the need to request consent by eliminating the other legal bases, as follows:
However, be careful to ensure that the personal data is really necessary for this legal basis. The case of the e-commerce site is a good example : here the data controller needs to collect data for invoicing (the legal basis = legal obligation), and for payment management (the legal basis = contract), as well as for the order and its shipment, such as the person’s address and email (legal basis = contract). The controller can also ask the data subject to include the person’s email to send them promotions (legal basis = consent).
Assuming that we are in a situation where we need to obtain the consent of the person, there are then two essential conditions to comply with.
The legal definition of consent is given to us by Article 4 of the GDPR:
“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
In fact, behind this definition, there are two essential conditions that are imposed by the GDPR: there must be a positive act by the person (A), and the person must be clearly informed of what will be done with their data (B).
For consent to be validly collected, there must first be a positive act by the person. In fact, this is an old legal problem which is whether silence can mean consent. The answer in the GDPR is - fortunately no! Without this, the GDPR would open to significant abuses. For consent to be validly collected, the person must therefore perform a positive act themselves - such as entering their personal data themselves in a collection form.
However, the GDPR does not necessarily require a checkbox! A checkbox can be the manifestation of a positive act, but it is not necessarily so. In fact, a person who adds their email address themselves in a form performs a positive act that is sufficient to validate this condition imposed by the GDPR.
What is important is that the action comes from the person themselves. For example:
The GDPR has added more legal conditions, but we can summarize things as follows: the person whose data is processed must be clearly informed of what will be done with their data.
And this is essential, otherwise how could they consent to anything? How to consent to data being processed for example for a newsletter if the person is not clearly informed of it?
From a legal point of view, the GDPR imposes several additional conditions, in order to ensure that the consent given is indeed informed:
The G29 has written very detailed guidelines on consent which can be consulted.
The main risk for organizations that collect personal data is not validly collecting this data - and then finding themselves in a situation where the CNIL would request the deletion of all the data for example.
Avoiding this catastrophic scenario is relatively simple, however, provided that precise consent acquisition processes are put in place. The GDPR requires the implementation of a variety of processes and it is advisable to use software to manage them:
Whether for consent acquisition or registry management, tools to automate these processes are essential to save time for organizations.