Focus on a key concept: consent
Understanding it better to know your rights and possibilities
Among the many changes introduced by the GDPR, several concern the notion of consent. In order to comply, organisations must change some of their practices and formulate their requests according to very specific rules. We propose to tell you all about it.
Consent is one of the six legal grounds on which an organisation can process your personal data. The other five are: the existence of a contract, compliance with a legal obligation, safeguarding your vital interests, the exercise of official authority, the legitimate interest of that organisation.
Consent is defined as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement to personal data being processed by means of a declaration or a clear positive act”.
The GDPR infuses a moral aspect to the classic legal definition of consent that only involves your approval: it adds the principles of choice (the fact that you exercise your judgement carefully) and freedom, which become its main parameters of validity. Importantly, it is up to the company to be able to demonstrate that it has obtained valid consent from you. In the event of a dispute, it is not up to you to prove the absence of consent.
Freedom to choose and change your mind
Your freedom is characterised in particular by your ability to act according to your own will, to make your own choices, without external constraint. This means on the one hand that you must be autonomous and of age to give valid consent. In France, digital majority has been set at 15 years. For minors under 15, it is therefore up to their legal representatives to decide.
This also means that in order to be free, and thus valid, your consent must be obtained without you having been influenced or pressured. An organisation cannot therefore: choose to carry out processing on the basis of consent if there is a clear imbalance between it and you, typically when it is a public authority, or when there is a relationship of subordination such as with your employer; incorporate a request for consent into a contract or terms and conditions when it is not necessary; or penalise you for refusing or withdrawing consent, for example by offering a service that is free of charge if you consent to commercial exploitation of your data but charged for if you refuse.
When collecting your consent, the organisation must also inform you of your full freedom of choice. And your choice can be reviewed at any time. You can change your mind at any time, without having to justify it. So, whenever you have given your consent to a processing operation using your personal data, you must be provided with the means to withdraw it as easily as you gave it.
Be properly informed to decide
Your consent is only valid if you give it in full knowledge of the facts, so that you can assess its consequences and make the right decision. A lack of information or ambiguous wording from the organisations collecting your consent can render it invalid. It is only through clear, sincere and detailed information that you can choose what is really right for you. Your consent is not only about what personal data you allow an organisation to use, but also about the purpose of the processing they intend to carry out. For example, you can give your consent for a company to use your email address to send you direct marketing offers, but refuse to allow them to share your email address with other partners for other offers.
A clear and unambiguous act
For your consent to be valid, it must be obtained through a clear act. In other words, a company can no longer obtain it by using a pre-checked box, or infer it from your inaction.
In some cases, this process is even reinforced by the need for explicit consent, i.e. you must clearly formulate it. This is the case, for example, when processing ‘sensitive’ data, such as your opinions or beliefs, your health data or your sexual orientation; when transferring data to a third party (except where this is a legal obligation, or where the third party is a subcontractor of the original company, in which case you benefit from other protections); and for profiling, i.e. when your data is analysed to predict your behaviour, analyse your habits and anticipate your next actions. This processing is based on the use of automated algorithms.
Consent therefore implies complete freedom: a free choice, made by an autonomous person and informed in a transparent and honest manner. It cannot be valid if it is obtained under duress, as a result of concealed or misleading information, or from an individual who is not autonomous in terms of decision-making.
To find out which companies process your personal data on the basis of consent, you can easily exercise your right of access to your data through the free Myfairdata application.