Tutorial: how to get a valid GDPR consent

The GDPR requires obtaining the consent of individuals before processing their personal data in certain cases, here's how to do that

The question of how to validly obtain consent under the GDPR generates a lot of discussions, yet it is often a simple problem to deal with. There are however important considerations that need to be assessed! First: do you really need consent ? This is an essential first step as consent is one of the six legal basis and it’s not necessarily the one required in all cases (sometimes it needs to be avoided as it can be a GDPR violation to use consent when other legal basis are required). This verification is an essential starting point (I). Once we are sure consent is required from a legal perspective then only we can create a process that will capture the consent in regard to the conditions set by the GDPR (II).

Why a valid consent is essential

National control authorities do not hesitate to erase all personal data collected without valid consent. In multiple cases in 2018, the french CNIL requested the erasure of +14 million - and in another case - over 60 million of prospect’s data that companies did not capture with valid consent. The economical damage can be very substantial. On another side, capturing legally valid consent is not a complex task.

I. - Consent is not generic

The First mistake to avoid: organizations don’t need consent all the time. This is the first thing to clearly understand: consent is needed in a few cases only.

The legal obligation GDPR imposes is to have a legal basis. There is six legal basis that allows organizations to collect and process personal data. Consent is only one of them! So, let’s take a look at some real-life examples.

Consent is needed Consent is not needed
Subscription to a newsletter When the law requires the collection of personal data, for example invoicing - as this is a legal obligation
Download and receive a guide (ex: whitepaper...) In case of a sale, or a contract (e.g. online sales)
More generally activities in which a person will see his personal data processed and in which the person can request anytime to stop the activity. For employment - recruitment, cv

What is the legal basis ?

In reality, to be able to legally collect data relating to persons, the GDPR imposes one condition: the data controller has to have a legal basis. This means we have to have at least one of the following conditions as described in article 6:

  • the subject has given consent to the processing of his data
  • the processing is necessary for the performance of a contract or to take steps before entering into a contract
  • a legal obligation imposes the collection of personal data
  • protection of vital interests of the data subject (someone is in a coma and can not give consent)
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

How to determine if the legal basis can be consent?

In practice, the need to request consent can be determined by eliminating other legal bases and as follows:

does the law require you to collect personal data (e.g. in HR matters, like obligations existing related to retirement, in commercial matters for invoicing)? If so, then the legal basis is the legal obligation, and there is no need to ask for consent ;

  • is the data collected from the perspective of a contractual relationship - for example, an e-commerce website? In this case, the legal basis is the execution of pre-contractual measures or the execution of a contract. Be careful, however, because only the data necessary for this contract can then legally be collected! For example, the subscription of a person to a newsletter following purchase will not enter the data needed for the contractual relationship, and therefore will be subject to consent ;
  • are we in the two other specific cases of public interest / official authority vested in the controller or where vital interests of a data subject need to be protected (ex: a person arriving in a coma in a hospital in need of a transplant)
  • Having evacuated most of the legal basis, the last question we can ask ourselves is: can the person enter and exit the processing of his personal data at will? If yes, we are in a typical case of consent. Otherwise, the legal basis of the legitimate interests of the data processor might apply.

Consent is frequently used in marketing - for example, to subscribe to a newsletter, where a person can start and stop the processing of his data at will (eg. the unsubscribe link).

II. - You legally need consent? Here’s how to get one!

If you are in a situation where you need consent, congratulations because it’s quite an easy task to get one! Let’s clarify one element first a checkbox is not needed for consent. It can be useful if an organization wants to ensure that the person stopped and thought about what he or she agreed on, and expressed clearly agreement. But it’s not necessary. In reality, we need two essential elements. Let’s look at the legal definition, given by article 4.

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

So to acquire consent, two elements must be there: a positive act by the person, and the person must be informed of what will be done with their data.

First condition: you need a positive action from the person herself

For consent to be validly collected, a positive act by the person is first required. In clear terms, it means the person herself needs to do an action to manifest he/she agrees to the processing of his/hers personal data.

Here are examples of valid actions

  • a person clicks on a button
  • a person checks a check box
  • a person signs a contract
  • a person says “yes I agree”, or “agreed”

Here are examples of invalid actions

  • someone else presses a button
  • a checkbox is pre-checked
  • the person did not add her email herself in a form
  • the person stayed silent

In fact, this is a very old legal problem: can silence equals acceptance? In clear terms the question is, can a person be legally obliged to do something in the case she stayed silent? The GDPR answer is absolutely not (it would open to significant abuses otherwise)!

For consent to be valid, the person must therefore perform a positive act themselves - such as entering their personal data themselves in a collection form or clicking a button.

One action is enough

However, the GDPR does not necessarily require a set of multiple actions, like for example checking a checkbox AND then clicking on a button. A checkbox can be the manifestation of a positive act, but it’s not mandatory and there are plenty of ways to get the user to make an action other than filling a checkbox. For example, a person who adds his email address himself in a form will perform a positive act, sufficient to meet the requirement of the GDPR.

What is important is that the action comes from the person himself. For instance, it would be unlawful to collect emails on forums and send commercial advertisements (no clear affirmative action from the person to agree to such processing).

Second condition: the person must be informed

To get a valid consent, the GDPR has added other legal conditions that we can summarize as follows: the person whose data is processed must be clearly informed of what will be done with their data.

This is essential, otherwise, how could he/she consent to anything? From a legal point of view, the GDPR imposes several additional conditions, to ensure consent given is well informed:

  • the data subject must express a manifestation of free will, uncoerced and uninfluenced (e.g. a person who is forced to give his consent does not consent validly; we typically find this type of situation in matters of labor law in which the employer can impose the processing of personal data - in such cases, consent cannot be used as a legal basis. It is however possible to ask for consent in matters of employment law, but it must be ensured that the choice of the person is truly free). Beware, therefore, of the balance of power that can block the acquisition of consent
  • the consent must be specific: the data subject must consent to something specific, such as receiving a newsletter. It’s not possible to ask to consent to “any processing of personal data” for example.
  • the consent must be informed: in general, the data controller has to clearly detail on the collection form what will be done with the personal data
  • consent must be unequivocal, the data controller must not seek to mislead the person for example as to the reality of the processing carried out on this data, and inform him clearly of what is done with his data

The G29 has written very detailed consent guidelines on these matters.

Processes to implement

One risk for organizations who collect personal data is to fail to collect a valid consent. Avoiding this scenario is, however, relatively simple, provided that specific consent acquisition processes are put in place.

If you are uncertain about how to build these processes head up to Legiscope as these step-by-step processes are already built and the platform will help you automate a lot of other compliance tasks and save considerable amounts of time.