Last but not least, consent must be unambiguous, which means it requires either a statement or a clear affirmative act. There must always be a clear distinction between the information needed for the informed consent and information about other contractual matters. If the consent should legitimise the processing of special categories of personal data, the information for the data subject must expressly refer to this. The consent must be bound to one or several specified purposes which must then be sufficiently explained. Where relevant, the controller also has to inform about the use of the data for automated decision-making, the possible risks of data transfers due to absence of an adequacy decision or other appropriate safeguards. The withdrawal must be as easy as giving consent. The data subject must also be informed about his or her right to withdraw consent anytime. Thus, the performance of a contract may not be made dependent upon the consent to process further personal data, which is not needed for the performance of that contract.įor consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. In addition, a so-called “coupling prohibition” or “prohibition of coupling or tying” applies. For example, in an employer-employee relationship: The employee may worry that his refusal to consent may have severe negative consequences on his employment relationship, thus consent can only be a lawful basis for processing in a few exceptional circumstances. In doing so, the legal text takes a certain imbalance between the controller and the data subject into consideration. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. The element “free” implies a real choice by the data subject. In order to obtain freely given consent, it must be given on a voluntary basis. Consent must be freely given, specific, informed and unambiguous. The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |