1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
You can use consent as a legal premise to process personal data.
Consent in the context of the GDPR needs to follow specific requirements for it to be valid.
These requirements are mentioned in article 7 of the GDPR.
The following requirements should be true for consent to be valid:
You must be able to demonstrate that the data subject has given his consent. This could be done by documenting the consent process or by having it in writing or a recording.
The request for consent needs to be distinguishable from other matters. For example, when signing an employment contract, you cannot include a request for consent to use their profile picture in marketing material. These are different matters(contract and consent) which should be distinguishable.
You must provide information concerning the consent in a clear and accessible manner to the data subject before the consent is given, so they can easily inform themselves about the processing of their data.
Consent should be given freely and always withdrawn without negative consequences for the data subject.
If these requirements are not followed, then the consent is invalid according to the GDPR.
The controller must consider whether consent is the most appropriate legal premise or whether other methods are more suitable.
Consent can be withdrawn and therefore consent is not the best option to use as the legal premise for processing personal data.
Article 6 states the methods for establishing a legal premise for processing personal data. So, please study article 6 to learn more about the legal premises.
You can demonstrate consent by:
You should also document your consent process so that you can demonstrate that you have applied the rules of article 7.
You should either make a specific privacy statement for the consent or include it within a general privacy policy.
Look at www.rgpd.com’s free template for a privacy policy to use within your company.
The data subject can always withdraw consent to processing personal data, and then further processing their data should stop.
This does not affect the legality of the processing before the withdrawal.
The data subject should be able to withdraw consent similarly to how it was given in the first place.
Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.
