GDPR: Conditions applicable to consent and its exceptions

Consent is one of the six legal bases set out in the General Data Protection Regulation (GDPR); this was the whole point of a previous blog post. It's important to point out that consent was already enshrined in the 1978 Data Protection Act. The GDPR simply reinforced this consent as well as its conditions of validity. [1]

Understanding consent

Article 4 of the GDPR defines consent as: "any manifestation of free, specific, informed and unambiguous will by which the data subject accepts, by a declaration or by a clear positive act, that personal data relating to him or her may be processed".

In other words, for consent to be considered valid, it must meet 4 cumulative criteria:

• Consent must be free, given without coercion or influence. This means that the data subject's choice (whether or not to consent to the processing of his/her personal data) cannot affect his/her relationship with the company.
  

• Consent must be specific. This means that consent must be sought for a specific purpose. It is therefore not possible to request a single consent for a multitude of processing purposes. Where there are several purposes for processing, several consents must be requested for each one. In this way, the data subject must be able to consent to certain data processing operations, and refuse others in a straightforward manner.
  

• Consent must be informed, i.e. it must be accompanied by a range of information (serving as proof of transparency) such as: the identity of the data controller, the purposes pursued, the categories of data collected, the existence of a right to withdraw consent. It is also necessary to specify whether personal data are used in the context of automated individual decisions, or whether they are transferred to a country outside the European Union.
  

• Finally, consent must be univocal: no tacit or passive consent is permitted. Consent must be signified by a positive act on the part of the data subject (e.g. clicking on a link, checking a box, etc. to signify consent).
  

Any change in the conditions under which data processing is carried out can affect the validity of consent, obliging the data controller to ask for it again.

The consent intended by the GDPR must therefore enable data subjects to understand as well as possible the use that will be made of their data, to choose without constraint, whether or not to accept data processing, as well as to change their minds freely.

Some examples of situations requiring consent

It's important to remember that consent is one of the two legal bases on which data processing can be justified: consent isn't necessary all the time and for all data processing!

In the case of subscription to a service, for example, the legal basis is not consent, but the performance of a contract. Find out more about the six legal grounds for data processing right here.

Other approaches, on the other hand, require consent every time:

All commercial canvassing, for example, requires the consent of the persons concerned. Article l.34-5 of the French Post and Electronic Communications Code requires prior consent for all automated e-mail canvassing of BtoC customers. An exception is made for canvassing of existing customers, when the aim is to offer them similar products or services. However, even in this case, the company must still make it easy for the person concerned to oppose such solicitations (with a link to click, preferences to modify, a message to send, etc.).

Consent is not required for BtoB commercial canvassing. However, it is still necessary to inform the persons concerned of the use made of their personal data, and to allow them to object simply and free of charge to any commercial canvassing!

Online trackers and cookies are also a parameter requiring the consent of the person concerned! Trackers and cookies are tools that enable us to follow the interactions of Internet users on our site: from the identification of the Internet user, to the tracking of his or her movements on the site's pages. Such tracking poses a problem in terms of privacy protection, which is why Article 82 of the French Data Protection Act requires the consent of the persons concerned. The only cookies that do not require consent are functional cookies, which are absolutely essential to the proper functioning of a website. However, when your site uses audience measurement cookies or marketing cookies, the latter must obtain the consent of the persons concerned in order to be loaded!

However, some audience measurement tools have been developed to enable these statistics to be tracked 100% anonymously (i.e., no analysis cookies are deposited), enabling website publishers to obtain information about the behavior of visitors to their site, but without having to ask for the consent of the individuals concerned (since the latter are no longer identifiable, it is no longer a question of personal data!) This is the case with Beyable Analytics, for example.

The transfer of an image right, subscription to a newsletter, etc. are all cases in which consent must be obtained.

Keep proof of consent

The data controller must be able to provide evidence of consent from the data subjects involved in the data processing carried out. The latter must be able to demonstrate that consent has indeed met each of the cumulative conditions required by Article 4 of the GDPR (namely that it was free, specific, informed and unambiguous). For example, in the context of a newsletter subscription:

• Data subjects must be informed of the purposes of data processing and the nature of the data processed. This information is provided by means of a prominent text (informed consent).
  

• Subscribing to a newsletter does not have to be compulsory (the person concerned can also have signed a contract with the company and refuse to be subscribed to the newsletter) (free consent).
  

• The person concerned gives his/her consent to receive the newsletter presented (and not the potential newsletter to be created next year) (specific consent).
  

• The person concerned gives their consent through a deliberate positive action: they check a box (unchecked by default) in the contact form, and then validate their subscription by clicking on a link received by email (univocal consent).

The data controller must therefore be able to prove that the mechanisms for collecting consent comply with the requirements of the GDPR, and must be able to trace the consents collected. It is entirely possible for the data controller to keep a consent register grouping together the various consents collected. for newsletter subscription requests,

It is necessary to keep users' consent choices for the duration of the site's navigation, as recommended by the CNIL. On the other hand, it is difficult to keep proof of consent for analysis or marketing cookies.

To give an example, companies often call on third parties (sometimes non-compliant with respect to the GDPR), and despite the presence of a clause in the terms and conditions of use or terms and conditions of sale that commits one of the parties to collecting valid consent on behalf of the other party, this clause is insufficient for the CNIL. It needs to be supplemented to specify that the third party collecting the consent must also provide the other party with proof of consent, so that any data controller wishing to rely on it can actually do so. In practice, however, this is very difficult to achieve.

A clear, comprehensible and easily accessible request for consent

The second paragraph of Article 7 of the GDPR clarifies that for each request for consent, and in the event that a single written declaration encompasses several data processing operations with different purposes, consent must then be requested for each of the data processing operations and separately.

When collecting consent using a checkbox, it is forbidden to leave this box ticked by default (otherwise consent would no longer be unambiguous), and it is also forbidden to set this box as compulsory (otherwise consent would no longer be free). Thus, the absence of a response can certainly not be considered as an expression of consent.

The GDPR also insists in this article that consent cannot be subordinated to a contract or general conditions of use. If subordination exists, this will presume that the freedom criterion has not been met. [2]

This issue of gathering consent, addressed in the Data Protection Act, has not only been strengthened thanks to the GDPR, but also supports the principles of loyalty and transparency sought by the GDPR.

Withdrawing consent

"It must be as easy to withdraw consent as to give it" [3].

It is important to understand that a data subject's consent is a reversible decision. The data subject is free to give and withdraw consent at any time, easily, quickly and without constraint. It is important to understand that if the data subject withdraws his or her consent, this does not invalidate the lawfulness of the processing. If it is ever difficult for a data subject to withdraw consent, then consent is not the appropriate legal basis.

For example, in the case of withdrawal of image rights, we need to consider the feasibility and consequences of withdrawing consent. Once the person concerned has withdrawn his or her consent to the use of his or her images, the images concerned will no longer be used in the future, but what about images that have already been used? So, withdrawing consent is not retroactive: the data concerned will no longer be used in the future, but the uses that were made of this data when consent was given cannot be undone!

Specific exceptions to consent

According to Article 8 of the GDPR "Where the child is under the age of 16, such processing is lawful only if and insofar as consent is given or authorized by the holder of parental responsibility for the child.". Thus, a minor can only give consent to the processing of his or her personal data if he or she is at least 16 years old. Article 8 specifically targets social networks, applications and websites.

The GDPR has given Member States the option of providing for a lower age of consent for minors: 13. In France, the age retained is 15 for minors. This means that from the age of 15, minors can consent themselves to the processing of their personal data (by subscribing to a newsletter, creating an account on social networks, etc). Under the age of 15, data controllers must obtain the joint consent of the child and the person with parental authority. These provisions do not affect general contract law: you need to be of legal age to sign a contract.

This exception concerning the validity of children's consent can pose problems, as the validity of consent can vary from one state to another. Indeed, the harmonization sought at European level is made difficult by the flexibility granted to member states. They are free to choose the legal age of consent. Certain contradictions can also make it difficult to collect consent effectively: what happens if one parent agrees to the processing of his or her child's personal data, but the other parent objects?

We can therefore see from all the different aspects of consent that it is an important axis in the implementation of the GDPR, and in some cases, ensuring the withdrawal of consent is no mean feat! Consent is, once again, a concept that is far from new. And while it may seem basic, it nevertheless needs to be managed by professionals for a compliant and correct application of GDPR principles.

Sources :

[1] "GDPR explained line by line (Articles 1 to 23)", by Marc Rees, on February 21th, 2818.

[2] Article 7 of GDPR. [3] "GDPR compliance : how to collect people's consent?", by la CNIL, on August 3rd, 2018.

Related blog posts:

• "GDPR: purpose and objectives"

• "GDPR : who is concerned?"

• "The GDPR and the principles relating to the processing of personal data"

• "Legality of personal data processing: the different legal bases"

• "Register of personal data processing: what does the CNIL say?"

Did you enjoy this blog post?

Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!

Find out more about our outsourced timeshare DPO services!

We need your answers!

By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.

Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!

Thank you for your responses!

Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!

Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!