How to get a valid consent under the GDPR

The question of how to validly obtain consent under the GDPR generates a lot of discussion, even though the problem is quiet often simple to address. In this practical guide, we will look at how to obtain a legally valid consent under the GDPR and how to comply with all the conditions imposed by the regulation.

It is important to ensure that this process is properly followed, because in case of default, national control authorities can request the deletion of all data that has not been validly collected. It has already done so in two major cases in which the CNIL for example ordered the deletion of 14 million, then 60 million prospect data! This can have drastic consequences on a business’s marketing and sales.

Given the damage this can cause to a company, ensuring the validity of this process is a mandatory compliance point in terms of GDPR.

Note that if you are using Legiscope you can perform an automated audit of your web forms, which allows you to know if you are compliant or not in a few clicks, all thanks to AI !

I - Only ask for consent in certain cases!

The first mistake to avoid, and the first element to understand is that consent should only be requested in certain cases. We will see some examples before looking at the legal text.

A - Examples where consent must be requested (or not)

Traditionally, consent is requested for marketing processes such as:

• signing up for a newsletter
• downloading and receiving a guide (e.g. whitepaper…)

However, consent should never be requested in the following cases:

• for hiring
• when the law requires collecting and processing personal data (e.g. for invoicing - this is a legal obligation).

B - What the law states precisely

From a legal point of view, consent is an obligation that drives from Article 6 of the GDPR - and which requires the data controller (generally, the person collecting the data) - to have a legal basis.

1. A “legal basis” is required (permission)

In summary, to legally collect data relating to individuals (email, name, first name), we must ensure that we are in at least one of the following 6 cases:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2. How to determine if the legal basis is really consent?

In practice, we can determine the need to request consent by eliminating the other legal bases, as follows:

• does the law require us to collect personal data (e.g. in HR matters, retirement obligations, in commercial matters, invoicing)? If so, the legal basis is then the legal obligation, and there is no need to request consent.
• is the data of the data subject processed as part of a contractual relationship - for example, an e-commerce site? In this case, the legal basis is the performance of pre-contractual measures or the performance of a contract. However, be careful, because only the data necessary for this contract can be validly collected! For example, signing a person up for a newsletter following a purchase will not fall under the contract, but under consent.
• are we in another case (example: a person arrives at a hospital in a coma and the person needs a transplant, the legal basis will then be the safeguarding of their vital interests).
• failing that, we can rely on consent

3. Be careful not to put everything under a single legal basis

However, be careful to ensure that the personal data is really necessary for this legal basis. The case of the e-commerce site is a good example : here the data controller needs to collect data for invoicing (the legal basis = legal obligation), and for payment management (the legal basis = contract), as well as for the order and its shipment, such as the person’s address and email (legal basis = contract). The controller can also ask the data subject to include the person’s email to send them promotions (legal basis = consent).

Assuming that we are in a situation where we need to obtain the consent of the person, there are then two essential conditions to comply with.

II - The two essential conditions to respect to obtain valid GDPR consent

The legal definition of consent is given to us by Article 4 of the GDPR:

“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

In fact, behind this definition, there are two essential conditions that are imposed by the GDPR: there must be a positive act by the person (A), and the person must be clearly informed of what will be done with their data (B).

A - We need a positive act by the data subject

For consent to be validly collected, there must first be a positive act by the person. In fact, this is an old legal problem which is whether silence can mean consent. The answer in the GDPR is - fortunately no! Without this, the GDPR would open to significant abuses. For consent to be validly collected, the person must therefore perform a positive act themselves - such as entering their personal data themselves in a collection form.

However, the GDPR does not necessarily require a checkbox! A checkbox can be the manifestation of a positive act, but it is not necessarily so. In fact, a person who adds their email address themselves in a form performs a positive act that is sufficient to validate this condition imposed by the GDPR.

What is important is that the action comes from the person themselves. For example:

• it would be illegal to collect emails on forums and send commercial advertisements to people
• it is illegal to add one’s contacts to a commercial newsletter without having asked people for their consent beforehand.

B - The data subject must be informed of what will be done with their data

The GDPR has added more legal conditions, but we can summarize things as follows: the person whose data is processed must be clearly informed of what will be done with their data.

And this is essential, otherwise how could they consent to anything? How to consent to data being processed for example for a newsletter if the person is not clearly informed of it?

From a legal point of view, the GDPR imposes several additional conditions, in order to ensure that the consent given is indeed informed:

• there must be a free expression of will that must not be constrained or influenced (e.g. a person who is forced to give their consent does not validly consent; we typically find this type of situation in labor law in which the employer can impose a processing of personal data - in such cases, consent cannot be used as a legal basis. However, it is possible to request consent in labor law matters, but it is necessary to ensure that the person’s choice is truly free). Therefore, be careful of power relationships that can block the acquisition of consent
• consent must be specific: the data subject must consent to something specific, such as receiving a newsletter. But it is not possible to ask them to consent to “any processing of personal data” for example.
• consent must be informed: in general, it is sufficient for this to clearly detail on the collection form what will be done with the personal data
• and it must be unambiguous (cf. unequivocal), one must not seek to deceive the person for example as to the reality of the processing carried out on this data, and clearly inform them of what is done with their data

The G29 has written very detailed guidelines on consent which can be consulted.

Conclusion: the processes to implement

The main risk for organizations that collect personal data is not validly collecting this data - and then finding themselves in a situation where the CNIL would request the deletion of all the data for example.

Avoiding this catastrophic scenario is relatively simple, however, provided that precise consent acquisition processes are put in place. The GDPR requires the implementation of a variety of processes and it is advisable to use software to manage them:

Whether for consent acquisition or registry management, tools to automate these processes are essential to save time for organizations.