Yes, I do. Anyone who wants to have sex with someone in Sweden needs explicit permission since July 2017. Proceeding without an explicit "yes, I do" can quickly lead into legal trouble. Not very sexy... but what about the processing of personal data? Is prior permission always required there?
No. Contrary to popular belief, the processing of personal data does not always require consent. Consent is only one of six bases for legitimate processing. (For more information about principles, see the blog post on covenants.) A processing operation may therefore be carried out on the basis of consent, but it may also be based on another ground.
Consent is a free, specific, informed and unambiguous expression of the data subject's desire for his or her personal data to be processed. This statement must be made by means of a statement or an unambiguous active action.
Free means that the data subject must also have the choice to refuse his or her consent, without there being any possible negative consequences. In situations where a public authority requests the consent of a citizen, or an employer requests the consent of its employee, there is a relationship of dependency. This is a situation in which the citizen or employee is not always free to choose. Therefore, in such situations, the processing cannot be based on consent. This is the same when the performance of a contract is made conditional upon consent for another processing not necessary for the performance of the contract. For example: your energy supplier asks permission to use your personal data for marketing research. If you refuse, the price of your eletricity will increase. In that case, your choice as to whether or not to give consent is not free.
Consent must not only be given freely. It must also be absolutely clear to the person concerned what he or she agrees to. This means that the controller must properly explain the purpose for which he is going to process the personal data. It is a misunderstanding that after obtaining permission, you may do anything with the personal data obtained. After all, consent is obtained for one specific purpose! If you want to do new things with your personal data (new purpose), you need a new basis for the processing.
Finally, the consent must be unambiguous. This means that it is 100% clear that the data subject has given his or her consent. This can be demonstrated by an active action of the person concerned. A pre-ticked box is not an unambiguous consent. This may be because the person concerned has overlooked the box. You will therefore never know with certainty whether the person concerned really wanted to consent. The processing of special categories of personal data is subject to an even higher threshold: the data subject's explicit consent is required. This requires an action specifically aimed at giving consent. For example, by signing the text: "I hereby consent to the processing of my genetic data". Children under the age of 16 cannot give permission to process their data for internet services. The consent of their parents is required for this.
Of the processing operations carried out by the controller on the basis of consent, he or she must record this consent (so that he or she can, if necessary, show this to the Data Protection Authority). This can be done, for example, by keeping a signed form. But more and more often consent is given by means of a tick in a box. In this case, it is sufficient to be able to demonstrate that the website worked in such a way that data can only be processed after consent has been given.
Do you have any questions about consent in your organisation? Please do not hesitate to contact us.