¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

Key definition

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Overview

Firms are not likely to rely on consent as the lawful basis for processing most of the personal data processed in the context of the practice. Exemptions to this general rule may occur relating to the firm’s marketing activities rather than the services of the firm.

How to obtain valid consent

The standard for valid consent under GDPR is described at Article 7 of the GDPR. In order for consent to be valid it must be:

• presented in a manner which is clearly distinguishable from other matters,

• in an intelligible and easily accessible form, and

• using clear and plain language.

In addition, the data subject has the right to withdraw his or her consent at any time. It is required that it is as easy to withdraw as to give consent. The extent to which the provision of a service is conditional on consent relating to other matters is an important factor to be considered in whether consent has been validly given or not.

It is important to note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Recitals 32 and 42 of the GDPR give some further important context for valid consent. Pre-ticked boxes are not acceptable, nor is inactivity or silence. Each purpose for processing requires a separate consent (if consent is being relied upon). The data subject should be aware of the identity of the controller. Any request for consent must be clearly distinguishable from other matters. It would not be sufficient to obtain the consent through a terms and conditions document such as the firm’s letter of engagement where the consent issue is not clearly distinguished.

Records need to be kept to demonstrate valid consent has been obtained. This is not unlike the requirement to keep evidence of authorisation to send electronic commercial communications under the ePrivacy Regulations.

Parental consent will be required in order to process the personal data of children. The consent of children may require review and update as the child reaches majority and the firm should implement procedures to capture this, if required.

Resources

• European Data Protection Board:

Consent checklist

• Consider the requirements of consent.

• Ensure your firm can respond to data subject rights relating to processing based on consent.

• Update procedures to review and refresh consents.

Return to GDPR Guidance and templates >