GDPR: Conditions for Consent (7-8)

Does anyone actually know what consent looks like?

These two articles outline what “consent” is and what are valid instances of such pertaining to the Regulation. The verb-definition of consent, as defined by Merriam-Webster, is to give assent or approval of or agree. The noun-definition of consent is the agreement as to action or opinion; compliance in or approval of what is done or proposed by another. So we can clearly see that consent is the approval of an action, as well as the action of giving that approval. Articles 7 and 8 outlines the requirements for consent to be given in regards to data processing.

Article 7: Conditions for Consent

  1. The controller shall be able to demonstrate that the data subject has consented to the data processing of their personal data.
  2. If a written declaration has been provided by the data subject, this declaration shall be written in a form that distinguishes it from other matters. Anything not conforming to the Regulation shall not be binding.
  3. The data subject has the right to withdraw their consent at any time, and this withdrawal shall not affect the lawfulness of the processing. The withdrawal shall be as easy as giving consent.
  4. When assessing whether consent is freely given, the controller shall take action to verify that the processing of data is conditional on consent from the data subject

Article 8: Conditions for a Child’s Consent

  1. Where point (a) of Article 6 applies, the processing of data shall be lawful for all children of at least 16 years of age. If the child is less than 16 years old, the processing is allowed if the parental authority has given and within the lawfulness of Article 6. Additionally, Member States may outline laws that allow for the age to be reduced from 16, but not lower than 13.
  2. The controller shall make every reasonable effort to verify that consent was provided by the authorized parental authority of the child.
  3. The law of Member States shall not be affected by the controller’s reasonable responsibility to attain consent from the parental authority.

How does this apply to you and me?

Article 7 applies to everyone living in the Union. You’re consent to processing is needed by every organization that wants to process personal data, as outlined in Article 4 (1). If an organization wants information that can uniquely identify you, they must get your consent. This consent would need to be given in a format that is distinguishable from other documents (such as an informal email) and include all relevant information that will affect your collected data (data controller, processing purpose, storage timeframe, etc.). Typically, this can be quickly given online via a form. It’s also very important to remember that since the controller needs to provide evidence of your consent, a verbal agreement would not be sufficient to satisfy Article 7.

HARVEY AND ROSS

Handshakes and verbal agreements might not meet the requirements

As we saw, Harvey consented to everything that he was informed of. He provided his signature and was informed of any changes and ongoing processes from the clinic. What he did not consent to was his information being sent to a third-party because this was not disclosed in the consent form.

Later articles will detail the repercussions Ross’s clinic would or could face for this violation, but as of right now, this would be an issue around not disclosing everything occurring around Harvey’s personal information he willingly provided. He willingly provided it because he was under the impression he was given all the information around what the clinic was doing with his data. Unfortunately, the part about sending to a third party was not disclosed and therefore, a violation of GDPR’s requirement around informing the data subject of everything happening to their data. Fortunately for Harvey, GDPR also requires the opt-out opportunity to be as easy as the opt-in opportunity.

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.