💆🏼 🕵🏾 🤛🏾 GDPR: Consent to the processing of personal data 🗝️ 👨🏼‍🏫 👏🏼

This is a translation of the official consent manual for the processing of personal data (Guidelines on Consent under Regulation 2016/679 wp259rev.01) of the European Commission working group. The original is published in 23 official languages of the European Union. Despite the fact that Russian is not one of them, it is very common in Europe. If your business serves customers from the EU, you are obliged to comply with the General Regulations of protection of personal data (General Data Protection Regulation), which entered into force on 25 May 2018.

Consent to the processing of personal data is the first thing your client encounters. Despite the apparent simplicity, the Guide takes 30 pages and still causes difficulties: leakage of personal data on EU websites ranges from 12% to 41% , and fines from regulators from thousands to tens of millions of euros. Large companies with a staff of lawyers and engineers have the ability to quickly respond to changes in the business environment, but individual entrepreneurs and small businesses often have to rely only on themselves, taking all the risks.

The author tried to convey the provisions of the Guide as close as possible to the original, softening particularly hard clerical. The translation is made from the originals in two languages, has no legal force. The author does not provide guarantees, and is not responsible for any claims, losses or lost profits. But he will be glad to receive sensible comments and wording improvements.

1. Introduction

This Guide provides a thorough analysis of the concept of Consent contained in Regulation 2016/679 - General Regulation on the Protection of Personal Data (GDPR). To date, the concept of Consent used in the Data Protection Directive (Directive 95/46 / EC) and the Directive on Confidentiality and Electronic Communications (Directive 2002/58 / EC) has evolved. The GDPR provides further clarification and clarification of the requirements for obtaining and demonstrating a legally binding Consent. This guide focuses on these changes, offering practical guidance on how to ensure compliance with the GDPR, based on Conclusion 15/2011. The duty of personal data controllers is to introduce innovations and search for new solutions within the framework of the law,which contribute to the protection of personal data and the interests of data subjects.

In accordance with Article 6 of the GDPR, Consent is one of the six grounds for the legitimate processing of personal data. When starting activities related to the processing of personal data, the controller must always take into account the legal basis for the intended processing.

As a rule, Consent can be a legitimate reason only if the data subject is offered control and free choice regarding the acceptance or rejection of the proposed conditions without adverse consequences. When requesting Consent, the controller is required to evaluate whether it will comply with all available requirements. Consent obtained in full compliance with the GDPR, it is a tool that gives data subjects control over whether their personal data will be processed or not. Otherwise, the data subject will not have actual control, and such Consent is considered an unlawful basis for processing.

The existing conclusions of the working group (WP29) on the Consent remain relevant as long as they are consistent with the new legislation, since the guidelines and recommendations codified by the GDPR, as well as the key elements of the Consent, remain unchanged in the GDPR. Thus, in this document WP29 rather extends and supplements the previous conclusions on specific aspects of the Consent, which refer to the Agreement in the interpretation of Directive 95/46 / EC, and not replace them.

As stated in Conclusion 15/2011 on the definition of the term Consent, a proposal to accept a data processing operation must be subject to strict rules, as it relates to the fundamental freedoms of data subjects and the controller’s desire to participate in these operations, which would be illegal without the consent of the data subject. The crucial role of the Consent is emphasized in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. In addition, the obtained Consent does not exclude and in no way changes the controller’s obligation to comply with the principles enshrined in the GDPR, especially in Article 5, with regard to fairness, necessity, proportionality and quality of data. Even if the processing of personal data is based on the consent of the data subject, it does not legalize the collection of data that is not required for the stated purpose of the processing, thus becoming unfair.

At the same time, WP29 is aware of the revision of Directive 2002/58 / EC. The concept of Consent in the draft of this Directive is still consistent with the GDPR. Organizations are likely to require Consent to do so for most marketing messages, calls and Internet tracking methods, including the use of cookies, applications or other software. Concerning the Consent, WP29 has already submitted its proposals and directions to the European legislator.

Regarding the current version of Directive 2002/58 / EC, WP29 notes that references to the repealed Directive 95/46 / EC should be construed as references to the GDPR. This also applies to references to the Consent in Directive 2002/58 / EC, as it expires on May 25, 2018. According to Article 95 of the GDPR, obligations in the context of the provision of publicly available electronic services in public communications networks are not considered “additional”, but rather, preliminary legal conditions. Therefore, the requirements for obtaining Consent in the GDPR are also applicable in situations within the framework of Directive 2002/58 / EC.

2. Consent in Article 4 (11) GDPR

Article 4 (11) of the GDPR defines Consent as follows: “a voluntary, specific, informed and unequivocal expression of will in which the data subject, through a statement or a clear affirmative action, gives consent to the processing of his personal data.”

The understanding of the basis of the Consent remains the same as in Directive 95/46 / EC, and the Consent is one of the legal grounds on which the processing of personal data should be based in accordance with Article 6 of the GDPR. In addition to the amended definition in Article 4 (11), the GDPR provides further guidance in Article 7 and in paragraphs 32, 33, 42 and 43 regarding how the controller should act to ensure compliance with the elements of the Consent.

Finally, the inclusion of specific rules on the withdrawal of the Consent confirms that the Consent must be a reversible and controlled decision by the data subject.

3. Elements of Legal Consent

Article 4 (11) of the GDPR defines the Subject's Consent as:

voluntary
specific
informed and
unambiguous expression of will, in which the data subject, using a statement or a clear affirmative action, gives consent to the processing of his personal data.

The following analyzes the extent to which Article 4 (11) of the GDPR requires controllers to modify their requests / forms for consent to ensure compliance with the GDPR.

3.1. Voluntary

This element implies real choice and control for data subjects. The GDPR provides that if the data subject does not have a real choice, feels compelled to agree or suffer damage by not agreeing, then such Consent is considered illegal. If the Consent is included in the terms of service as an invariable part of it, then it is not considered voluntary. Accordingly, the Consent is not considered voluntary if the data subject cannot refuse or withdraw it without adverse consequences for himself. The concept of imbalance between the controller and the data subject is also taken into account in the GDPR.

When evaluating whether the Consent has been given voluntarily, one should also take into account the specific situation in which it is associated with service agreements, as described in Article 7 (4). Article 7 (4) is inaccurately worded with the words “in particular,” which means that there may be a number of situations that fall within the scope of this rule. In general, any element of pressure or influence on a data subject (which may occur in various ways) that prevents the data subject from exercising its free will, makes the Consent illegal.

1

GPS- . , . , . , .

3.1.1.

Paragraph 43 clearly indicates that it is unlikely that government agencies can rely on Consent, because when the state is the data controller, there is often a clear imbalance between him and the data subject. In addition, in most cases it is clear that the data subject has no real alternatives to accepting the conditions of such a controller. WP29 considers that there are other legal grounds which, in principle, are more suitable for the activities of state bodies.

However, the use of the Consent as a legal basis for the processing of data by government authorities is no exception to the GDPR. The following examples show that Consent may be appropriate in certain circumstances.

2

. , , . , , . , , , , . .

3

, , , , . , . , . , . , , - , . , .

4

. , - , .

An imbalance also appears in the context of employment. Given the relationship between the employer and the employee, it is unlikely that the data subject may refuse his or her Consent to process personal data without fear or risk of negative consequences as a result of the refusal. It is unlikely that an employee can voluntarily agree, for example, to activate monitoring systems, such as surveillance cameras in the workplace, or to fill out evaluation forms without experiencing any pressure. Thus, WP29 considers it problematic for employers to process personal data of employees on the basis of the Consent, since it can hardly be considered voluntary data. For most cases of processing data in production, the consent of workers (Article 6 (1) (a) GDPR) cannot be a legitimate reason due to the nature of the relationship.

However, this does not mean that employers cannot rely on Consent as a legal basis for the processing of personal data. Situations may arise where the employer may demonstrate that the consent is actually given voluntarily. Given the imbalance between the employer and its employees, employees can give consent only voluntarily in circumstances where it will not have any negative consequences, regardless of whether they give consent or not.

Example 5

A film crew will shoot in a specific part of the office. The employer asks all employees who work in this area to give their consent to the shooting, as they may appear in the background of the video. Those who do not want to act in any way are not punished, but instead receive equivalent jobs in another part of the office for the duration of the shoot.

The imbalance is not limited only to state bodies and employers, it can also occur in other situations. WP29 emphasizes that Consent is legal only if the data subject is able to make real choices without the risk of fraud, intimidation, coercion or negative consequences. Consent will not be voluntary when there is any element of coercion, pressure or inability to exercise free will.

3.1.2. Optional

Article 7 (4) GDPR plays an important role in assessing whether a Consent is voluntary. She points out, in particular, that “linking” the Consent to accepting the terms of service or “linking” the provision of the service to a request for Consent to process personal data that are not necessary for the execution of the contract is highly undesirable. Consent given in such a situation is not considered voluntary (paragraph 43). Article 7 (4) aims to ensure that the purpose of processing personal data is not disguised or associated with a contract for which this data is not needed. The GDPR claims that the processing of personal data for which Consent is requested cannot directly or indirectly become a counterclaim.Two reasons for the legitimate processing of personal data - Consent and the provision of services - cannot be combined and blurred.

Coercion to consent to the use of personal data beyond the necessary limits the choice of the data subject and impedes the exercise of free will. Since the law seeks to protect fundamental rights, data control is critical. It is argued that Consent to the use of personal data in excess of the necessary cannot be a mandatory assumption in exchange for the execution of a contract or the provision of services.

Whenever the Consent is related to the execution of the contract, the data subject, who does not want to provide personal data, risks receiving a denial of service.

In order to assess whether there is “binding” or “binding”, it is important to determine the scope of the contract and the data necessary for its execution. According to Conclusion 06/2014 WP29, the term “necessary for the execution of the contract” should be interpreted narrowly. Processing must be necessary to execute a contract with each individual data subject. For example, in the context of an online store, this may be the address of the delivery of goods or credit card details. In the context of employment, this may be salary information and bank account details. There must be a direct and objective connection between the data and the purpose of their use in the contract.

If the controller wishes to process personal data that is actually necessary for the execution of the contract, then the Consent is not a mandatory basis.

Article 7 (4) applies only in cases where the requested data is not necessary for the execution of the contract, and the execution is made dependent on the receipt of this data through the Consent. Conversely, if the data are necessary for the performance of the contract, then article 7 (4) does not apply.

Example 6 A

bank asks customers for Consent to allow third parties to use their details for direct marketing. This activity is not necessary for the execution of the contract and the provision of ordinary services. If a client’s refusal to give Consent leads to a refusal to provide banking services, closure of an account or an increase in commission, then such Consent is not considered voluntary.

Focusing on facultativeness as a presumption of lack of freedom of consent, demonstrates that the conditions for its occurrence must be carefully checked. The term “pay the most attention” in Article 7 (4) means that the controller must exercise particular caution when the contract contains a request for Consent to the processing of personal data.

Since the wording of Article 7 (4) is not absolute, there may be cases where optionality does not make the Consent illegal. However, the word “alleged” in paragraph 43 indicates that such cases will be extremely rare.

In any case, the burden of proof provided for in Article 7 (4) lies with the controller. This rule reflects the general principle of accountability, which operates throughout the entire GDPR. However, when applying Article 7 (4), it will be more difficult for the controller to prove that the data subject has given his consent voluntarily.

The controller may argue that the organization offers the data subjects a real choice if they can choose between a service that requires Consent to use personal data for additional purposes, and an identical service that does not require such Consent. As long as it is possible to execute a contract without obtaining Consent to use additional data, it is not considered optional. In this case, both services should be virtually identical.

WP29 considers that the Consent is not considered voluntary if the controller asserts that there is a choice between a service that requires Consent to use personal data for additional purposes and an identical service from another controller that does not require such Consent. In this case, the freedom of choice will depend on whether the data subject finds the services virtually identical. In addition, the controller will be required to monitor the market to ensure the continued validity of such Consent, since a competitor may change the service later. Therefore, such an argument means that the Consent does not comply with the requirements of the GDPR.

3.1.3. Detail

A service may include several data processing operations for more than one purpose. In such cases, data subjects should be able to choose for what purpose they give consent separately. In accordance with the GDPR, several Consents may be requested to begin providing a service.

Paragraph 43 clarifies that the Consent is not considered voluntary if the receipt process does not allow data subjects to Consent to certain transactions. Clause 32 reads: “Consent shall cover all methods of processing personal data carried out to achieve the same goal. In the event that the processing of personal data has several purposes, it is necessary to obtain consent for each of them. ”

If the controller combined several processing goals and did not try to obtain a separate Consent for each of them, this means a lack of freedom. Detailing is closely related to the need for concretization of the Consent, which is described in section 3.2. below. When data processing is carried out for several purposes, a condition of legal Consent is the separation of these goals and obtaining Consent for each.

7

, . , . . (. 3.3.1), , , .

3.1.4.

The controller is obliged to demonstrate to the data subject that he can withdraw the Consent without prejudice to himself (paragraph 42). For example, the controller needs to prove that revoking the Consent does not lead to costs for the data subject and does not create obvious inconvenience to him.

Other examples of damage are deception, intimidation, coercion or significant negative consequences if the data subject does not give his consent. The controller is required to prove that the data subject has free choice as to whether to give Consent, and that he can withdraw it without prejudice to himself.

If the controller shows that the service includes the ability to revoke the Consent without negative consequences, for example, without compromising quality, this can serve as evidence of a voluntary Consent. The GDPR does not include all incentives, but the burden of proof of the voluntariness of this Consent rests with the controller in all cases.

8

lifestyle-, . , , . , , . , 42, , ( , ).

9

. , , . , . , .

10

. , . , . , , . , . , , .

3.2.

Article 6 (1) (a) confirms that Consent must be given in relation to “one or more specific” goals and that the data subject has a choice in relation to each of them. The requirement that the Consent must be specific is aimed at ensuring user control and transparency for the data subject. The GDPR has not changed this requirement, and it remains closely related to the requirement of informed Consent. At the same time, it should be interpreted in accordance with the requirement of detail in order to obtain a voluntary consent. In general, in order to be specific, the controller should:

indicate the goal as a protective measure against its expansion,
detail the request for consent and,
clearly separate the information related to obtaining the Consent from any other.

Supplement to 1. In accordance with Article 5 (1) (b) of the GDPR, the receipt of the Consent is always preceded by the determination of the specific, explicit and legal purpose of the intended data processing. The need for a specific Consent, combined with the concept of goal restriction in Article 5 (1) (b), serves as protection against the gradual expansion of the goal of data collection after the entity has given Consent. This phenomenon, also known as functional creep, poses a risk to data subjects, as it can lead to unforeseen use of personal data by the controller or third parties, and loss of control.

If the controller relies on Article 6 (1) (a), data subjects must always consent to the specific purpose of the processing. In accordance with the concept of goal restriction, Article 5 (1) (b) and paragraph 32, the Consent may cover various operations if they serve the same purpose. Of course, a specific Consent can only be obtained when the data subjects are accurately informed of the intended processing objectives.

Despite the ability to combine goals, Consent must be specific to each. Data subjects must agree with the understanding that they control the situation, and their data will be processed only for the specified purposes. If the controller legitimately processes the data for one purpose and wishes to process it also for another, then the controller is required to request additional Consent for it, unless there is another legal basis that better reflects the situation.

11

, , . , ( ) . .

Supplement to 2. Consent mechanisms should not only be detailed to meet the requirement of “voluntary”, but also to comply with the element of “specificity”. This means that the controller who requests Consent for various purposes must provide a choice for each of them to allow users to give Consent for a specific processing purpose.

Supplement to 3. Finally, supervisors are required to provide specific information in each individual Consent request for each purpose, so that data subjects are aware of the impact of different choices. So data subjects are given the opportunity to give specific Consent. This point is related to the obligation to provide clear information in clause 3.3. below.

3.3. Informed

The GDPR requires that the Consent must be informed. Based on Article 5 of the GDPR, the requirement of transparency is one of the fundamental principles that are closely related to the principles of justice and legality. Providing information to data subjects before obtaining their Consent is important for them to make an informed decision, to understand what exactly they agree with, and, say, by understanding the right to withdraw their Consent. If the controller does not provide accessible information, the data subject does not receive actual control, and such Consent is considered an unlawful basis for processing.

The consequence of non-compliance with the informed Consent requirement is its illegality, and the controller may be in violation of Article 6 of the GDPR.

3.3.1. Minimum Content Requirements for Obtaining Informed Consent

In order for the Consent to be informed, it is necessary to provide the data subject with several elements that are crucial for him to make a decision. Therefore, WP29 is of the opinion that at least the following information is required to obtain a legal Consent:

name of controller
processing purposes for which personal data is intended,
the types of data that will be collected and used,
the right to revoke the Consent,
information on automatic data processing in accordance with Article 22 (2) (c), where appropriate, and
information on the possible risks of data transmission due to the lack of an adequate solution and protective measures described in article 46.

Regarding paragraphs 1. and 3., WP29 notes that in the case when the requested Consent must be obtained by several (joint) controllers, or if the data must be transmitted or processed by other controllers who wish to join such a Consent, then all of them must be are listed. Data processors may not be indicated, although controllers are required to provide a complete list of data recipients or their categories, including processors, to comply with Articles 13 and 14 of the GDPR. In conclusion, WP29 notes that, depending on the circumstances, the data subject may need additional information to clearly understand the data processing operations.

3.3.2. How to Provide Information

The GDPR does not describe the form or type of how information should be provided in order to comply with the informed Consent requirement. This means that it can be represented in various ways, such as written or oral statements, audio or video messages. However, in the GDPR there are several requirements for informed Consent, mainly in Article 7 (2) and clause 32. Which enhances clarity and accessibility.

When requesting Consent, the controller should always use a clear and simple language. This means that the message should be easily understood by an ordinary person, not just a lawyer. Supervisors should not use long privacy policies that are hard to understand, or legal jargon. Consent must be clear, distinguishable from other issues, and provided in an understandable and easily accessible manner. This requirement means that information related to the adoption of an informed decision on consent or disagreement cannot be hidden in the general conditions of service.

The controller is required to ensure that Consent is obtained on the basis of information that allows the data subject to easily recognize who the controller is and what exactly they agree with. The controller shall clearly describe the purpose of the processing for which Consent is requested.

Other specific accessibility guidelines are included by WP29 in terms of transparency. If Consent is given electronically, the request for it must be clear and concise. Comprehensive and detailed information is more suitable for bilateral obligations - accurate and complete on the one hand, and understandable on the other.

The controller is required to evaluate the target audience, which transmits personal data. For example, if it includes minors, the controller should make sure that the information is understandable to them. After such an assessment, the controller is required to determine what information and how it should provide the data subjects.

Article 7 (2) considers written statements of consent prepared in advance that relate to other matters. When Consent is requested under a (paper) contract, such a request should be clearly separated from other issues. If the paper contract contains aspects that are not related to the Consent, then the question of it should be considered in such a way that it clearly stands out or is proposed as a separate document. Similarly, if the Consent is requested electronically, the request should be separate and cannot be just a paragraph in the terms of service, in accordance with paragraph 32. When placed on small screens or in a limited space, a comprehensive way of providing information may be appropriate in order to avoid excessive interaction with user or product design violations.

The controller, who refers to the Consent, is also required to comply with the requirements set forth in Articles 13 and 14 in order to comply with the GDPR. In practice, an integrated approach can be taken to comply with these requirements and to comply with the informed Consent requirement. However, this section of the Guide is written in the context that legitimate “informed” Consent can be obtained even if not all elements of Articles 13 and / or 14 are mentioned in the process of receipt (these points, of course, should be mentioned elsewhere, for example, in privacy policy). WP29 issued separate recommendations regarding transparency.

Example 12

X , , , . , . X , . , , . , . , , . X . X , , .

13

. , . . , . 6, «» , 13(1)(b) 14(1)(b) GDPR.

3.4.

The GDPR determines that the Consent requires a statement or a clear affirmative action by the data subject. It should be obvious that the data subject has given his consent to the specific processing.
Article 2 (h) of Directive 95/46 / EC describes the Consent as “the expression of will by which the data subject expresses his Consent to the processing of personal data relating to him”. Article 4 (11) of the GDPR is based on this definition, clarifying that a legal Consent requires express expression of will by means of a statement or a clear affirmative action, in accordance with the previous directions of WP29.

“Clear affirmative action” means that the subject consciously agrees to a specific treatment. Section 32 provides further guidance on this topic. Consent may be obtained by written or (recorded) oral statement, as well as electronically.

Perhaps the easiest way to fulfill the requirement of a “written statement” is to make sure that the data subject has explained to the controller what he agrees with by letter or email. Often this is not feasible. The respective GDPR written statements may vary.

Without prejudice to existing (national) contract law, Consent may be obtained by recorded oral communication, having previously taken into account the information available to the data subject. According to the GDPR, the use of pre-selected options is not allowed. Silence, inaction or continued work with the service is not considered a sign of choice.

Example 14

During installation, the application asks the data subject for Consent to use personalized crash reports to improve its quality. A comprehensive privacy policy containing all the necessary information is attached to the Consent request. By actively ticking the optional field with the inscription "I agree", the user performs a clear affirmative action, which gives his consent to the processing.

The controller must take into account that Consent cannot be obtained simultaneously with the contract for the provision of services. Acceptance of the terms of service cannot be considered as a clear affirmative action on the use of personal data. The GDPR prohibits pre-selected options (for example, the “unsubscribe” field) or other methods that require the intervention of the data subject to revoke the Consent.

When the Consent is given electronically, the request should not unnecessarily interrupt the work with the service. A clear affirmative action by which the data subject provides the Consent may be necessary if a less interruptive way of obtaining it leads to ambiguity. Thus, in order to request Consent, it may be necessary to partially suspend interaction with the user in order to make the request legitimate.

In accordance with the GDPR, supervisors have the right to independently develop the Consent process that is best suited to the organization. In this vein, physical actions can be qualified as clear affirmative.

Supervisors should design Consent mechanisms in such a way that they are understood by data subjects. Supervisors should avoid ambiguity and ensure that the action by which Consent is given can be distinguished from other actions. Thus, the usual continued use of the website is not an action from which we can conclude that the data subject wants to express his consent to the processing operation.

15

, , , , , (, , X Y. ). , , , .

16
- . , « », / , , .

In the digital world, many services require personal data, so data subjects receive multiple Consent requests, which need to be answered every day by clicking and swiping the screen. This can lead to some apathy: when requests are met too often, their actual warning effect is reduced.

This leads to a situation where the Consent request is no longer read. This situation is a high risk for data subjects, since Consent is usually requested for processing that would be illegal without it. The GDPR places an obligation on supervisors to develop methods to solve this problem.

A well-known example of such a situation is obtaining the Consent of an Internet user through the settings in his browser. Such settings should be designed in accordance with the GDPR. For example, Consent should be detailed for each of the goals and should contain the names of the supervisors.

In any case, Consent must be obtained before the controller proceeds with the processing of personal data. In previous recommendations, WP29 has consistently maintained that Consent must be given before processing activities begin. Despite the fact that Article 4 (11) of the GDPR does not literally prescribe the receipt of Consent before the start of processing, this is clearly implied. The title of Article 6 (1) and the wording “given” in Article 6 (1) (a) support such an interpretation. From article 6 and paragraph 40 it follows logically that before starting the processing of data there must be a legal basis. Therefore, Consent must be given before the start of the data processing process. In principle, it is enough to request the consent of the data subject once. However, supervisors are required to obtain a new Consent if the processing objectives have changed or an additional purpose has appeared.

4. Obtaining Explicit Consent

Explicit consent is required in some situations where there is a serious risk of data protection, therefore, a high level of individual control over personal data is considered appropriate. According to the GDPR, explicit Consent plays an important role in Article 9 regarding the processing of special categories of data, provisions on the transfer of data to third countries or international organizations, if there are no protective measures provided for in Articles 49 and 22 on automated decision-making, including profiling.

The GDPR provides that a “statement or clear affirmative action” is a prerequisite for a “simple” Consent. Since the importance of the requirement of a “simple” Consent in the GDPR is higher than in Directive 95/46 / EC, it is necessary to clarify what additional efforts the controller must make in order to obtain the explicit consent of the data subject in accordance with the GDPR.

The term explicit refers to a method of expressing Consent by a data subject. This means that the data subject must give explicit consent. The obvious way to make sure that the Consent is explicit is to give the Consent in writing. In such cases, the controller can make sure that the written statement is signed by the data subject in order to eliminate all possible doubts and potential lack of evidence in the future.

However, a written statement is not the only way to obtain an explicit Consent, and it cannot be said that the GDPR requires you to obtain a written Consent in all cases that require a legitimate explicit Consent. For example, in the digital world, a data subject may consent by filling out an electronic form, sending an e-mail, downloading a scanned document with a signature, or using an electronic signature. Theoretically, the use of oral statements may also be sufficient to obtain a legitimate explicit Consent, but it will be more difficult for the controller to prove that all the conditions of the legitimate explicit Consent have been met when registering such a statement.

The organization may also obtain explicit Consent by phone provided that the selection information is fair, understandable and clear, and a specific action is requested from the data subject (for example, pressing a button or providing verbal confirmation).

Example 17 A

data controller can obtain explicit Consent from a visitor to his website by offering the Consent screen, which contains the Yes and No flags, provided that the text clearly indicates Consent. For example, “I hereby consent to the processing of my data”, and not, say, “It is clear to me that my data will be processed”. Of course, other conditions for obtaining legal consent must be observed.

Example 18

, . - . , , , .

A two-step Verification of Consent may also be a way of confirming that explicit Consent is valid. For example, the data subject receives an email informing the controller of his intention to process his medical data. The controller explains that he is requesting Consent to use a specific data set for a specific purpose. If the data subject agrees to such processing, the controller asks to reply by e-mail with the text “I agree”. After sending the response, the data subject receives a transfer link, or SMS with a code, to confirm the agreement.

Article 9 (2) does not recognize the “necessity of contract execution” as an exception to the general prohibition of processing special categories of data. Therefore, controllers and EU countries dealing with this situation are required to study the exceptions contained in paragraphs (b) to (j) of Article 9 (2). If none of them is applicable, obtaining explicit Consent in accordance with the GDPR remains the only possible legal exception to the processing of such data.

Example 19

Holiday Airways , , , - , . . Holiday Airways , (, , : , ). Holiday Airways . , , . , . , , 7(4) .

20

, . , . . , . , , , . . . , , . , 9, .

5. Additional Conditions for Obtaining Legal Consent

The GDPR introduces requirements for supervisors to take additional measures to ensure that they receive, support and can demonstrate legal Consent. Article 7 of the GDPR describes these additional measures with specific provisions on keeping the Consent journal and the right of easy revocation of Consent. Article 7 also applies to the Consent referred to in other articles of the GDPR, for example in Articles 8 and 9. Guidance on additional requirements for the demonstration of a legal Consent and for its revocation is given below.

5.1. Demonstration of Consent

Section 7 (1) of the GDPR defines the explicit obligation of the controller to demonstrate the consent of the data subject. In accordance with Section 7 (1), the burden of proof lies with the controller.

Paragraph 42 says: “If the processing is based on the consent of the data subject, the controller should be able to demonstrate that the data subject has consented to the processing operation.”

Supervisors can develop their own methods to comply with this requirement in such a way that they are better suited to their activities. At the same time, the obligation to demonstrate legal consent obtained in and of itself should not lead to excessive additional data processing. This means that the controllers must have enough data to demonstrate a connection with the processing (show receipt of the Consent), but they are not required to collect data beyond what is necessary.

The controller is required to show that the current Consent has been obtained from the data subject. The GDPR does not specify exactly how this should be done. However, the controller must prove that the data subject has given his consent. While data processing activities are ongoing, there is an obligation to demonstrate Consent. Upon completion of processing, in accordance with Articles 17 (3) (b) and (e), evidence of Consent shall not be kept longer than strictly necessary for the fulfillment of legal obligations, presentation, enforcement or defense of legal requirements.

For example, the controller may store a protocol of the received statements of consent to show how and when it was received, and what information was provided to the data subject at that moment. The controller is also required to show that the data subject was informed and the receipt process met all the criteria for legal consent. The logical reason for this obligation of the GDPR is that supervisors should take responsibility for obtaining the legal consent of the subject and their mechanisms for obtaining it. For example, in an online context, the controller can store information about the session during which Consent was given along with documentation of the process of receipt and a copy of the information that was presented to the data subject at that time. It is not enough just to refer to the correct website configuration.

21

- « X», . , . . , « X».

The GDPR does not specify a specific expiration date for the Consent. Shelf life depends on the context, scope and expectations of the data subject. If the processing operations vary significantly, then the original Consent is no longer valid. In this case, you must obtain a new permit.

WP29 recommends updating the Consent from time to time. The re-provision of information helps to ensure that the data subject is well aware of his data use and rights.

5.2. Revocation of Consent

Revocation of Consent takes an important place in the GDPR. GDPR norms and requirements for revoking the Consent can be considered as a codification of the existing interpretation of this issue in the conclusions of WP29.

Article 7 (3) of the GDPR prescribes that the controller is required to ensure that the data subject can revoke the Consent at any time as easily as it was granted. The GDPR does not require that the provision and revocation of Consent must be the same action.

However, if the Consent is obtained electronically with just a click of the mouse, swiping the screen or pressing a key, data subjects should be able to withdraw this Consent with the same ease. In cases where the Consent is obtained through the user interface (for example, through a website, application, login account, Internet of things device interface or via email), the data subject must be able to revoke the Consent through the same interface, since switching to another interface for the sole reason of revoking the Consent will require unjustified efforts. In addition, the data subject must be able to withdraw its Consent without prejudice to itself. This means, in particular, that the controller is obligated to revoke the Consent for free or without compromising the quality of service.

22

-. . «» «». , . - 8 5 . 7(3) GDPR. , , -, .

The requirement of easy recall is described as a necessary requirement of legal Consent in the GDPR. If the right of withdrawal does not meet the requirements of the GDPR, then the entire process of processing the Consent by the controller does not comply with the requirements of the GDPR. As already mentioned in section 3.1. about the requirements of the informed Consent, the controller is obliged to inform the data subject about the right to revoke the Consent before its actual receipt, in accordance with Article 7 (3) GDPR. In addition, the controller is required, within the framework of ensuring transparency, to inform the data subject about the method of exercising this right.

Usually, when the Consent is revoked, any data processing operations that were built on it and performed before the revocation of the Consent remain legal, however, from that moment the controller is required to stop processing. If there are no other legal grounds for processing data (for example, further storage), they should be deleted.

As mentioned earlier, it is very important that controllers determine the goals and legal grounds for the actual processing of data before data collection begins. Often companies need personal data for several purposes at once, and processing is based on more than one legal basis, for example, customer data can be both in the contract and in the Consent. Then the withdrawal of the Consent does not mean that the controller is obliged to delete the data that is processed in order to fulfill the contract. Therefore, the controller is obliged from the very beginning to indicate exactly what purpose relates to each data element and on what legal basis it is based.

The controller is obliged to delete the data processed on the basis of the Consent as soon as it is revoked, provided that there is no other reason justifying further storage. In addition to this situation described in Article 17 (1) (b), the data subject may request the deletion of his other data, which are processed on another legal basis, for example, on the basis of Article 6 (1) (b). The controller must evaluate the appropriateness of further processing of the data even in the absence of a request for deletion.

In cases where the data subject withdraws his Consent, but the controller wishes to continue processing personal data on another legal basis, he cannot silently move from the Consent (which is withdrawn) to another legal basis. Any change in the legal basis for processing should be brought to the attention of the data subject in accordance with the information requirements set forth in Articles 13 and 14 and with the principle of transparency.

6. Interaction of Consent with Other Legal Grounds in Article 6 of the GDPR

Article 6 establishes the conditions for the legitimate processing of personal data and describes six legal grounds on which the controller can rely. The application of one of these six grounds must be established before the start of processing and be relevant to the specific purpose.

It is important to note here that if the controller decides to rely on the Consent regarding any part of the processing, he should be prepared to terminate it if the person withdraws his Consent. Notification that the data is processed on the basis of the Consent, when in fact another legal basis is applied, is in principle unfair to the data subject.

In other words, the controller cannot replace the Consent with another legal basis. For example, it is not allowed to retrospectively use legitimate interests as a legal basis for legalizing processing if problems arise with the legality of the Consent. Taking into account the requirement to disclose the legal basis on which the controller relies on the collection of personal data, he is obliged to decide in advance which legal basis is applicable.

7. Special Provisions of GDPR

7.1. Children (Article 8)

Compared to the current directive, the GDPR creates an additional level of protection at which the personal data of the most vulnerable individuals, especially children, are processed. Article 8 introduces additional obligations to provide an increased level of protection for these children in relation to information services. The reasons for the enhanced protection are indicated in paragraph 38: “... since they may be less aware of the risks, consequences, guarantees and rights associated with the processing of personal data ...” Paragraph 38 also states that “Such special protection should, in particular, apply to the use of personal data of children for marketing purposes or to create personal (user) profiles and to collect personal data related to children in the process of using them services aimed specifically at children."The wording" in particular "indicates that protection is not limited to marketing or profiling, but includes a broader" collection of children's personal data. "

Article 8 (1) determines that in cases where the Consent is applied to offer information services directly to the child, the processing of personal data is considered legal if he is at least 16 years old. If the child is less than 16 years old, then such processing is legal only if and to the extent that Consent is given by a person representing the interests of the child. Regarding the age limit of the Consent, the GDPR allows the EU countries to set a minimum threshold on their own, but it cannot be lower than 13 years.

As mentioned in section 3.1. with regard to informed Consent, the message should be clear to the target audience, to which the controller addresses, paying particular attention to the opinion of the child. In order to receive the “informed Consent” of the child, the controller must explain in a simple and understandable language for children how he plans to process the data collected. If the parent gives consent, then a set of information may be required to allow the adult to make an informed decision.

It follows from the foregoing that Article 8 applies only if the following conditions are met:

processing is related to the provision of information services directly to the child,
processing is based on Consent.

7.1.1. Information Services

To determine the scope of the term “information service” in article 4 (25), the GDPR refers to Directive 2015/1535.

Assessing the scope of this definition, WP29 also refers to the practice of the European Court. The court ruled that information services cover contracts or other services that are concluded or committed online. If a service has two economically independent components, the first of which is online, for example, an offer and its acceptance is associated with the conclusion of a contract or information about products and services, including marketing, then such a component is considered an information service. In turn, the second component, being a physical supply or distribution of goods, does not fall under the concept of an information service. The provision of an online service is in accordance with the definition of the term “information service” contained in Article 8 of the GDPR.

7.1.2. Offered Directly to a Child

The inclusion of the phrase “offered directly to the child” indicates that Article 8 applies only to certain information services. If the information service provider makes it clear to potential users that it offers services only to people over 18 years of age, and this is not refuted by other evidence (for example, the content of the website or marketing plans), then such a service is not considered to be “offered directly to the child”, and Article 8 does not apply.

7.1.3. Age

The GDPR determines that “EU countries may legislatively provide for a lower age for these purposes, provided that such an age is not lower than 13 years.” The controller must be aware of local laws and take into account the community to whom he offers services. It should be especially noted that the controller offering the cross-border service may not always refer only to the norms in his jurisdiction, but he may also need to comply with the laws of each country where he offers information services. It depends on whether the country decides to rely on the jurisdiction of the controller or on the place of residence of the data subject. First of all, when making such a choice, all EU countries are obliged to take into account the interests of the child. The Working Group calls for an agreed decision on this issue.

If information services are provided to children on the basis of the Consent, it is expected that the supervisors take measures to make sure that the user has reached the minimum age of digital Consent, and these measures must be proportionate to the processing of data and risks.

If users claim to be older than the minimum age of digital Consent, then the controller may conduct a review to verify this. Although the GDPR does not oblige to perform such a check, it is implicitly required, since data processing will become illegal if the child gives consent, not being old enough to provide legal consent on his behalf.

If the user claims that he has not reached the minimum age of digital Consent, then the controller may accept this statement without verification, but then the controller will need to obtain parental permission and verify that the person providing the Consent has parental rights.

Age verification cannot be attributed to excessive data processing. The method selected to verify the age of the data subject should include a risk assessment of the proposed treatment. In low-risk situations, it may be sufficient to ask for the year of birth or fill out a form in which he is (not) a minor. In case of doubt, the supervisor should change the methods of checking age and consider the need for alternative checks.

7.1.4. Children Consent and Parental Rights

The GDPR does not determine how to obtain Parental Consent or to establish who has the right to do so. Therefore, WP29 recommends a proportional approach in accordance with Articles 8 (2) and 5 (1) © GDPR (data minimization). A proportional approach is to obtain a limited amount of information, such as the contact details of a parent or guardian.

What is reasonable to verify that the user is old enough to provide their own Consent, and that the person providing the Consent of the child has parental rights, may depend on the processing risks and the technology available. In low-risk situations, email confirmation may be sufficient. In contrast, in high-risk situations, it may be appropriate to request additional evidence so that the controller can verify and store it in accordance with Article 7 (1) of the GDPR. Third-party verification services can offer solutions that minimize the amount of personal data that the controller must process itself.

23

- , . :

1: , 16 ( ). , , :

2: , . .

3: , , .

4: .
, , 8 GDPR.

The example shows that the controller can demonstrate that reasonable efforts have been made to ensure that there is legal Consent for the services provided to the child. Article 8 (2) says that “the Controller, taking into account the available technological capabilities, must make reasonable efforts to make sure that the Consent was given by a person with parental rights in respect of the child, or was given with his approval.”

The controller is obliged to determine which measures are appropriate in a particular case. Typically, supervisors should avoid checks that lead to excessive collection of personal data.

WP29 recognizes that there may be situations where verification is complicated (for example, when children who have given Consent have not yet left a “digital footprint” or when parental rights are difficult to verify. Complexity can be taken into account when determining reasonable measures, but controllers are expected to constantly monitor their processes. and available technologies.

Regarding the right of the subject to consent to the processing of personal data and to have full control over them, as soon as the data subject reaches the age of digital consent, the consent of the parent or guardian can be confirmed, changed or revoked. In practice, this means that if the child does not take any action, then the Consent to the processing given by the parent or guardian, granted before the age of digital Consent, will remain the legal basis for the processing. Upon reaching the age of digital Consent, the child may revoke the Consent in accordance with Article 7 (3). In accordance with the principles of fairness and transparency, the controller is required to inform the child of this possibility.

It is important to note that, in accordance with clause 38, the consent of the parent or guardian is not required for the preventive or counseling services offered directly to the child. For example, providing online child protection services does not require parental permission.

In conclusion, the GDPR determines that the rules for the issuance of powers of attorney in relation to minors do not affect “the general contract law of the EU countries, for example, on the conclusion or execution of agreements regarding the child”. Thus, the requirements for legal Consent to use these children are part of the legal framework, which should be considered separately from the contract law of countries. Therefore, the Guide does not address the issue of the legality of online contracts entered into by minors. Both legal regimes can be applied simultaneously, and the scope of the GDPR does not include the harmonization of countries' contract law.

7.2. Scientific research

The definition of research objectives has a significant impact on the entire spectrum of data processing activities that the controller can carry out. The term “scientific research” is not defined in the GDPR. Paragraph 159 states: "... Within the framework of this Regulation, the processing of personal data for the purpose of scientific research should be interpreted broadly ...", however, WP29 believes that this concept cannot be wider than its general meaning, therefore, “scientific research” in this context means a research project created in accordance with industry methodological and ethical standards and best practices.

When the Consent is the legal basis for conducting research in accordance with the GDPR, it should be separated from other requirements of the Consent, serving ethical standards or procedural obligations. An example of such a procedural obligation when the processing is based not on the Consent but on another legal basis can be found in the Clinical Trials Schedule. In the context of data protection rights, the last form of Consent mentioned may be considered as an additional protective measure. At the same time, the GDPR does not limit the application of Article 6 only to the Consent to the processing of data for research purposes. As long as protective measures exist, such as the requirements of Article 89 (1), and the processing is fair, legal, transparent and in accordance with data minimization standards and individual rights,other legal grounds may be available, such as Article 6 (1) (e) or (f). This also applies to special categories of data in accordance with the exceptions of Article 9 (2) (j).

Paragraph 33 seems to bring some flexibility to the degree of concretization and refinement of the Consent in the context of scientific research. It says: “It is often impossible to fully determine the purpose of the processing of personal data intended for scientific research at the time of data collection. Therefore, data subjects should be given the opportunity to give their consent to certain areas of scientific research, based on the conformity of their goals with recognized ethical standards of scientific research. Data subjects should be able to give their consent only in relation to certain areas of research or part of research projects in accordance with the intended purpose. ”

First, it should be noted that paragraph 33 does not cancel the obligation to require a specific Consent. This means that, in principle, research projects can include personal data on the basis of the Consent only if they have a well-described purpose. In cases where the goals of data processing in the framework of a research project cannot be determined at the beginning, paragraph 33 allows the exception that the goal can be described in a more general way.

Given the stringent conditions set out in Article 9 of the GDPR regarding the processing of special data categories, WP29 notes that in cases where special data categories are processed on the basis of explicit Consent, a flexible approach should be interpreted more strictly and require more careful study.

Considering the GDPR as a whole, it cannot be interpreted in such a way as to allow the controller to circumvent the key principle of determining the purposes for which the consent of the data subject is requested. When research objectives cannot be fully defined, the supervisor should look for other ways to ensure that the essence of the Consent requirements is best suited, for example, allow data subjects to consent to the research goal in more general terms and for specific phases of the research project that are known from the very beginning. As research progresses, Consent to the next step may be obtained before it begins. However, such Consent shall continue to be consistent with the ethical standards of scientific research.

In addition, in such cases, the controller may take additional precautions. For example, Article 89 (1) emphasizes the need for safeguards when processing data for scientific, historical or statistical purposes. These objectives “include guarantees of the rights and freedoms of the data subject.” Possible protection measures include minimization, anonymization and data security. Anonymization is preferred if the purpose of the study can be achieved without processing personal data.

Transparency is an additional safeguard when the circumstances of the study do not allow a specific Consent. The lack of concretization of the goal can be compensated by information on its evolution, regularly provided by the supervisors during the implementation of the research project, so that over time the Consent becomes as specific as possible. At the same time, the data subject has at least a basic understanding of the situation, which makes it possible to assess whether, say, the right to revoke the Consent should be used in accordance with Article 7 (3).

In addition, having a comprehensive research plan available to data subjects, prior to Giving Consent, can help compensate for the lack of detail on the goal. In such a research plan, research topics and the methods of work should be as clearly defined as possible. A research plan may help to comply with Article 7 (1), since supervisors must show what information was available to data subjects at the time of obtaining the Consent in order to be able to demonstrate that it is legal.

It is important to remember that when the Consent is used as a legal basis for processing, the data subject must be able to revoke it. WP29 notes that revoking the Consent may interfere with research requiring data from individuals, but the GDPR clearly indicates that the Consent can be revoked, and supervisors are required to act in accordance with this - there is no exception for scientific research. If the controller receives a request for revocation of the Consent, he is actually obliged to immediately delete personal data if he wants to continue the research.

7.3. Data Subject Rights

If the data processing is based on the consent of the data subject, this affects the rights of that person. Data subjects are entitled to the portability of their data (Article 20). At the same time, the right to object (Article 21) does not apply if the processing is based on the Consent, even if the right to withdraw the Consent at any time gives the same result.

Articles 16 to 20 of the GDPR indicate that (when data processing is based on the Consent) data subjects have the right to delete data when the Consent is revoked, as well as the right to restrict, adjust and access them.

8. Consent obtained in accordance with Directive 95/46 / EC

Supervisors already processing data on the basis of the Consent in accordance with local legislation, preparing for GDPR, are not required to automatically completely update all relations with data subjects. The Consent already obtained remains legal to the extent that it complies with the GDPR.

It is important that the supervisors examine in detail the current processes and records by May 25, 2018, in order to ensure that the existing Agreements comply with the GDPR (see paragraph 171 of the GDPR). The GDPR introduces the highest standard for Consent mechanisms and introduces many new requirements that require supervisors to change Consent processes, not just rewrite privacy policies.

For example, since the GDPR requires the controller to be able to demonstrate that the legal Consent has been obtained, all other Consents are automatically not compliant with the GDPR, and they must be replaced. Similarly, since the GDPR requires a “statement or clear affirmative action”, all other Consents based on the indirect actions of the data subject (for example, a pre-set check box) will also not match the GDPR.

Further, in order to demonstrate that Consent has been obtained, or to refine the choice of the data subject, processes and systems may need to be reviewed. In addition, it should be possible to easily revoke the Consent, and information should be provided on how to do this. If the existing Consent management procedures do not meet the GDPR requirements, the controller is required to obtain a new Consent corresponding to them.

On the other hand, since the condition of an informed Consent does not always require all the elements mentioned in Articles 13 and 14, the expanded obligations of the GDPR do not necessarily contradict the continuity of the Consent that was provided before the entry into force of the GDPR. There was no requirement in Directive 95/46 / EC to inform data subjects about the reasons for processing.

If the controller determines that the Consent obtained earlier under the old legislation no longer complies with the GDPR, then he is obliged to take measures to comply with it, for example, to update the Consent. In accordance with the GDPR, the substitution of one legal basis for another is unacceptable. If the controller cannot update the Consent, and cannot proceed to comply with the GDPR, processing the data on another legal basis, while ensuring that the processing continues in a fair and transparent manner, then the processing activity should be stopped. In any case, the controller is required to comply with the principles of legal, fair and transparent data processing.

GDPR: Consent to the processing of personal data