14. The use of consent for the purpose of data protection
14.1 This section highlights key issues that data controllers should be aware of and consider when using the Data Subject’s consent as legal grounds for the processing of Personal Data. For further information about the use of consent in the area of data protection, please contact the ODP.
Relying on consent for data protection compliance
14.2 Consent of the Data Subject is only one of several legal grounds that make the processing of Personal Data lawful. Although many data controllers view consent as the simplest route to compliance with their data protection obligations, it may not always be sufficient on its own. Having consent only ensures compliance with the requirement to process data fairly and lawfully. Data Controllers must still comply with the remaining data protection principles. This means that the Data Controllers will not be permitted to process Personal Data that are inaccurate or out of date, unnecessary, irrelevant or excessive for the specific purposes for which they were collected, even if the Data Subject had previously consented.
14.3 Additionally, Data Controllers may only rely on consent as grounds for lawful processing of Personal Data if the individual Data Subject has a genuine free choice and is subsequently able to withdraw the consent without detriment.
Definition of consent
14.4 To be valid in a data protection context, consent must be freely given, specific, informed, and unambiguous. The Data Subject must also signify his agreement to the processing of his Personal Data.
• Consent will only be deemed freely given if it is voluntary and if Data Subject is able to exercise a real choice, i.e. there is no risk of deception or coercion.
• Consent will only be deemed specific if it is given with respect to the type of Personal Data that is processed, and the exact purpose for which it is processed.
• Consent will only be deemed an informed consent if the Data Subject was given accurate and full information of all relevant issues in a clear and understandable manner. This should include the nature of the data processed, the purpose of the processing, the recipients of possible transfer, the right of the Data Subject, etc.
• Consent will only be deemed unambiguous if the procedure to seek and to give consent leaves no doubt that the Data Subject does in fact agree to that processing. Methods to obtain unambiguous consent include express statements by the Data Subject, online forms that include a visible tick box to be ticked by individuals who agree to their data being processed in a particular way that is explained on the online form or a documents to which that form links, express oral consent, etc.
Express or Explicit consent
14.5 Express or explicit consent encompasses all situations where individuals are presented with a proposal to agree or disagree to a particular use of disclosure of their personal information and they respond actively to the question orally or in writing, consent which is inferred or implied will not normally meet the requirement of explicit consent.
At what stage must consent be obtained?
14.6 As a general rule, the Data Controller must obtain consent before processing Personal Data, particularly if it is a pre-condition for lawful processing.
What happens When a Data Subject withdraws his consent?
14.7 The Data Subject’s withdrawal of consent has no retroactive effect, this means that it will not make previous data processing that was based on the original consent unlawful. However, a withdrawal should, in principle, prevent any future processing of the Data Subject’s data unless the processing can be justified by other legal grounds.