Obtaining and managing the consent of the interested parties
Pursuant to article 6 of European Regulation 679/2016, consent represents one of the conditions of lawfulness on which personal data processing activities can be based.
in particular, the most severe, precise, but also optimal basis for data processing (as regards the data controller) is the existence of at least one legal provision (recital 39, 40, 41, article 6, paragraph 1 ), which requires (i.e. justifies) the data processing activity. It is mandatory that the controllers / processors provide the specifications of the legal act and its numbered extract before or at the time of data collection.
Article 4 of the GDPR defines consent as “any manifestation of free, specific, informed and unequivocal will of the interested party, with which the same expresses his consent, through unequivocal declaration or positive action, that the personal data concerning him are being processed”.
Requirements for consent in accordance with the GDPR
- In order to process the data, consent must be obtained in advance . After the deadline, it must be obtained again. The controller cannot specify a minimum period for the treatment and impose it on the interested parties, who can withdraw their consent at any time.
- The method used must ensure that the data subject is well informed about the processing (i.e. that all information is expressed in clear and unambiguous language). Consent must also be obtained before the subject accepts the precise type of treatment (here the accuracy requirement is very strict) mentioned in the consent form. It also requires positive action (therefore implicit or passive consent is not compliant).
- The mechanism also depends on the context . Since there is a requirement that consent must be given freely, it will not be considered valid if the interested party does not have a free and genuine choice, or is unable to withdraw or refuse consent without detriment (which could occur in certain situations, such as in the workplace, or in government-citizen relationships).
Article 7 of the Regulation and WP 259 clarify the procedures to be followed in order to obtain a correct and valid acquisition of consent. The request for consent must be presented to the interested party:
- in an understandable and easily accessible form;
- using simple and clear language.
In the event that you need to acquire consent for the purpose of carrying out a treatment , you must:
- submit the relevant request distinctly from the others and prepare methods of acquiring consent that guarantee its authenticity.
Specific contexts: data of minors
In order to better protect minors deemed more vulnerable and conditional, the ’art. 8 of the GDPR establishes that : “ if article 6, paragraph 1, letter a) applies, as regards the direct offer of information society services to minors, the processing of data the personal rights of the minor is permissible where the minor is at least 16 years old. If the minor is under the age of 16, this treatment is lawful only if and to the extent that this consent is given or authorized by the owner of parental responsibility. Member States can establish by law a lower age for these purposes as long as not less than 13 years “.
The GDPR does not specify how to verify the age of the person concerned and how to collect the parent’s consent in case it is ascertained that it is facing a minor.
WP29 recommends a proportionate approach that does not harm the minimization principle and that evaluates, on a case by case basis, the risks inherent in the treatment and the technological means available.
If users claim to be over 16 years of age, it will be the duty of the owner to verify that this statement is true so as not to incur illegal treatment. If the user declares, on the contrary, to be under the age of 16, the owner can accept this declaration without further checks, but must obtain the authorization of the parents and verify that the person providing the consent is holder of parental responsibility . In low-risk cases, the verification of parental responsibility via e-mail may be sufficient, on the contrary, in high-risk cases, it may be appropriate to ask for more evidence that can demonstrate, at the very least, the reasonable efforts made by the owner to verify that consent is authorized by parent.
Task of public interest or connected to the exercise of public powers
When the execution of a task performed in the public interest or connected to the exercise of public powers with which the controller is invested requires the processing of personal data, it is allowed pursuant to recital 45; article6, paragraph 1, letter e), of the GDPR.
Although authorization is granted by default, the processing performed on this basis may be subject to objection by the interested parties. This is formally recognized, so as to allow the review of the specifics of the situation. In essence, it gives the interested party the opportunity to question the controller’s public interest definition. The objection may or may not be accepted, but it must be considered and answered in a timely manner.
The interested party always has the right to withdraw his consent at any time : the possibility to withdraw the consent must be guaranteed with the same ease with which it was granted.
As anticipated, the Working Group – Art. 29 has prepared a useful contribution on the matter, consisting of the “Guidelines on consent pursuant to the 2016/679 regulation”, amended on April 10, 2018 .
We have published the full version , in Italian, of the aforementioned guidelines on our blog, available at the following address:
Source: The sun 24 hours;
Do not take unnecessary risks waiting for the last moment to adapt, in case of non-compliance with the privacy obligations, the European Privacy Regulation provides for administrative fines of up to € 20,000,000 or up to 4% of your turnover if greater than this amount.