INTRO

GIF

HOW TO REQUEST CONSENT
UNDER THE GDPR?

The European Union General Data Protection Regulation (or GDPR) has been declared to be the most important change in data privacy regulation in 20 years. It becomes fully enforceable throughout the European Union in May 2018, after a two-year post-adoption grace period.
The enhanced requirements for obtaining consent from the data subject are one of the main changes introduced by the new regulation. The GDPR replaces the Data Protection Directive 95/46/EC by adding more layers to the definition of consent, and by specifying a series of conditions in order to provide more protection to personal data.
The organizations processing personal data are only acting within the law if they comply with what the GDPR defines as a lawful basis – consent is a key method to make data collection and processing lawful. Without a lawful basis, the processing of personal data is unlawful, and controllers and processors are at risk of receiving a substantial fine!
Any processor using or holding personal data of data subjects
who are in the European Union should also be subject to this regulation. Even if the processor is not located in the Union.

KEY

CONCEPTS

WHAT IS

Article 4 of the Regulation states that consent from the data subject means..

” … any freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she,
by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to
him or her. ”

DEFINITIONS

Data Subject:

An identified or identifiable natural person (one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

Controller:

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor:

The natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.

Extras

Data subjects hold the right to withdraw consent at any time, and it shall be as easy to withdraw consent at any time as to give it.

Consent could be given by a written statement (including by electronic means), or an oral statement. Regardless of the form, the controller must be able to demonstrate that it has received consent.

Consent must be easily distinguishable from other matters. This is particularly important when consent is given in the context of a written declaration which also concerns other matters.

Data subjects hold the right to withdraw consent at any time, and it shall be as easy to withdraw consent at any time as to give it.

Consent could be given by a written statement (including by electronic means), or an oral statement. Regardless of the form, the controller must be able to demonstrate that it has received consent.

Consent must be easily distinguishable from other matters. This is particularly important when consent is given in the context of a written declaration which also concerns other matters (i.e: Terms of Service)

A controller can’t make a service conditional upon consent, except if the processing is necessary for the service.

Consent must be explicit instead of unambiguous for the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

A controller can’t make a service conditional upon consent, except if the processing is necessary for the service.

Consent must be explicit instead of unambiguous for the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

ADVOCACY

ACTIONS

Eticas Foundation advocates for SPECIFIC, INFORMED and UNAMBIGUOUS user consent request FREELY GIVEN BY A STATEMENT.

Download our free How-to Infographic