Resource Page Lesson Day 4 - Consent Request

Expert Comment

Examples

Resources

GDPR References

Art. 6 GDPR - Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

   1. • (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

      • (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

      • (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

      • (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

      • (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

      • (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

3. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

4. 1The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

   1. • Union law; or

      • Member State law to which the controller is subject.

5. 2The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 3That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. 4The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

6. Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

   1. • (a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;

      • (b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

      • (c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;

      • (d) the possible consequences of the intended further processing for data subjects;

      • (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Suitable Recitals

(39) Principles of data processing

(40) The lawfulness of data processing

(41) Legal basis or legislative measures

(42) The burden of proof and requirements for consent

(43) Freely given consent

(44) Performance of a contract

(45) Fulfilment of legal obligations

(46) Vital interests of the data subject

(47) Overriding legitimate interest

(48) The overriding legitimate interest within a group of undertakings

(49) Network and information security as overriding legitimate interest

(50) Further processing of personal data

(171) Repeal of Directive 95/46/EC and transitional provisions

Art. 7 GDPR - Conditions for consent

1. Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.

2. 1If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. 2Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. 1The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Suitable Recitals

(32) Conditions for consent

(33) Consent to certain areas of scientific research

(42) The burden of proof and requirements for consent

(43) Freely given consent

Recital 42 - Burden of proof and requirements for consent*

1. Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.

2. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given.

3. In accordance with Council Directive 93/13/EEC¹ a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.

4. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.

5. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

¹ Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29).

Recital 43 - Freely given consent*

1. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.

2. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

* This title is an unofficial description.