Tuesday, 5 December 2017

GDPR - Lawfulness of Processing and Consent

Jane Lambert

Yesterday I gave a talk on the GDPR to some 132 local authority personnel. The audience included the chief executive, heads of service, in-house legal advisers and managers and officials of all the council's departments. There were so many that the council chamber was the only room big enough to hold us all.  Some knew a lot about data protection in general and the GDPR in particular. Others wanted some basic information and it was for them that I wrote my Introduction to the GDPR and How the GDPR works.

"You've got them for two hours" said the head of legal before the talk, "tell them a few jokes to stop them falling asleep." As all my clean jokes are about Yorkshire and Yorkshire folk, I thought about telling them how the first Yorkshire pudding was made which, incidentally, was once made into a lovely dance by Jonathan Watkins for Northern Ballet (see  Sapphire 15 March 2015 Terpsichore).  However, we never got that far as the audience turned out to be quite lively and talkative.  What they wanted to talk about most was the legality of processing and consent.

To recap, I wrote on Sunday in How the GDPR works that there are 6 GDPR principles (or 7 if you include "accountability") that are set out in art 5 of the regulation.  The first of these is the "lawfulness, fairness and transparency" principle which is as follows:
"Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);"
 Art 6 (1) sets out the circumstances in which data can be lawfully processed:
"Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)  processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks."
The audience knew that processing could be justified by "consent" but did such consent have to be in writing and was it necessary to ask members of the public who had already given their consent for a particular purpose (say a mailing list for a newsletter about tourist attractions) for their consent again just to comply with the GDPR?

Well, paragraph (32) of the recitals assists here:
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
So consent does not have to be written and signed but, if it is given orally. it does need to be recorded because art 7 (1) requires data controllers to be able to demonstrate that the data subject has consented to processing of his or her personal data. In answer to the other question, there is nothing in the GDPR that requires data controllers to mither their data subjects for confirmation of consent that they have already given for a specific purpose so long as the consent that they already have is genuine, informed and freely given.

A few other points to remember: -

  • Art 6 (1) (a) requires consent to be given for one or more specific purposes. Data subjects must know exactly and precisely what they are consenting to.
  • If a data subject's consent is given in the context of a written declaration which also concerns other matters, art 7 (2) requires any request for such consent to be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
  • Art 7 (4) provides that "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract" when assessing whether consent is freely given.
Readers should also remember that other rules in relation to consent apply in relation to children and young people and particularly sensitive categories of data which I shall discuss in future articles. In the meantime, if you have any questions in relation to consent, lawful processing, the GDPR or data protection generally, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading

Author and Title
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

No comments:

Post a Comment