GDPR and the consent to personal data processing

28 February 2018 

One of the fundamental rules set in the General Data Protection Regulation (GDPR) says that data subjects must consent to the processing of their personal data. The GDPR, which is to enter into force on 25 May 2018, regulates the procedure for granting consent to personal data processing and the possibility to withdraw such consent.

The consent to the processing of personal data is one of several equivalent and independent prereq-uisites set in Article 6 GDPR for the lawful data processing, which means that the consent need not be obtained if any of the other prerequisites specified in the said article is fulfilled. An example is the situation where data must be processed to perform a contract with a data subject. In such a case data are processed according to law and no consent is required. The data controller must indicate the basis for data processing, but should not double the bases. For example, it is incorrect to request data processing consent for the purpose of signing a contract for services, because processing of personal data is inherent in the contract performance (there is no need for separate consent).

Free choice of the form of consent?

Consent may be granted in any form, but should be an informed, freely-given and unambiguous indication that the data subject agrees to the processing of his or her personal data in a specific case.

Consent may be granted by:

• ticking a box when visiting an internet website (boxed ticked by default should not be treated as consent);
• choosing technical settings for information society services;
• any other statement or conduct which clearly indicates in the context the data subject's ac-ceptance of the proposed processing of his or her personal data.

The Polish Personal Data Protection Act (PDPA) currently prohibits the implied consent, but im-plied consent will be permitted under the GDPR as long as it is possible to clearly identify the inten-tion of the data subject.

How to correctly word communications about data processing?

Consent should be freely given and informed, which means that the data subject should know at least the identity of the data controller and the purpose for which his or her personal data will be processed. According to the preamble of the GDPR, natural persons should be clearly aware of the fact and scope of processing their personal data. All information and communications about data processing should be in intelligible and easily accessible form, formulated using clear and plain language.

Consent may not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. For instance, the consent will not be freely given if the performance of a contract (including the supply of services) is conditional on the consent to the processing of personal data that is not necessary for the performance of that contract. It may be difficult in practice to decide if the consent has been given freely, especially when the data subject and the controller are not equal partners. In such situations, the data processing should be based on something other than consent because the unequal footing of the parties may undermine the freedom of choice.

When can the consent be withdrawn?

The consent should be as easy to withdraw as to give it. The GDPR explicitly provides that the given consent may be withdrawn at any time, of which the data subject must be informed yet before granting his consent.
It should be noted that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. But in such a case the data controller should stop processing and erase the personal data that are no longer necessary for the purposes for which they were col-lected or processed.

The comparison of currently applicable law and the provisions that will enter into force on 25 May 2018 allows a conclusion that the consents already obtained will for the most part remain effective. According to recital 171 of the GDPR preamble, where processing is based on consent pursuant to (the still effective) Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of the regulation. This enables the data controller to continue data processing after the effective date of the regulation. Still, the existing consents should meet the GDPR standards as regards, among other things, the ease of their withdrawal, and should mention the right to withdrawal at any time.

GDPR vs. PDPA

The GDPR relaxes certain provisions of the currently applicable act, for example, those governing the aforementioned permissibility of implied consent. Such implied consents were explicitly ruled out under the PDPA, whereas the GDPR allows consents by actions which clearly manifest the consent to data processing.
In contrast to the Polish legislation, the GDPR says that written consent is not necessary for the processing of special categories of personal data (e.g. concerning health). Due to the highly sensitive nature of such data, their processing is generally prohibited. The prohibition may be lifted, but only on certain conditions, including the data subject's explicit consent; at the same time, the laws of the member states may strictly prohibit such processing, in which case the processing of such data will not be allowed even upon the data subject's consent.