Know it, know your rights
Among the many changes introduced by the GDPR, several refer to the concept of consent. Organizations must modify some of their practices, and formulate their requests according to new rules in order to be compliant. We offer you to know everything about it.
- Consent is one of the six legal bases on which an organization can rely for processing personal data. The 5 others are:
- the existence of a contract,
- respect of legal obligations,
- vital interests of the data subject,
- exercise of public interest,
- legitimate interest of the organization.
Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The GDPR brings a moral aspect to the regular legal definition of consent which only involves your approval, adding the principles of choice (the right, power, or opportunity to choose) and freedom, which are fundamental for the consent be valid.
Important point: the burden of proof relies on the company, which has the duty to demonstrate that it has collected valid consent from you. In case of dispute, it is not your task to prove the absence of a valid consent.
Free to choose and to change your mind
Your freedom is particularly characterized by your capacity to act according to your own will, to make your own choices without external constraint.
It firstly means that you must be autonomous and over the age of “digital majority” set by each Member State. It has been set at 15 years-old in France. Under this age, the consent must be collected from the holder of parental authority. Therefore, an organization cannot :
- It also means that in order to be given freely, and thus be valid, your consent must be given without any influence or pressure.
- choose to process personal data on a consent basis if there is an imbalance of power between it and you, typically when it is a public authority, or when there is a relationship of subordination such as with your employer ;
- include a consent request into a contract or general terms and conditions when it is not necessary ;
- make you suffer detriment or negative consequence in case you refuse or withdraw consent, for example by offering a free service if you consent to a commercial exploitation of your data, but make you pay for the same service if you refuse.
When collecting your consent, the organization must also inform you of your complete freedom of choice.
And your choice can be revised any time. You can change your mind whenever you want, without providing any reason. So, whenever you have given your consent for a process using your personal data, you must be provided with the means to withdraw it as simply as you gave it.
Be properly informed to decide
Your consent is only valid if you give it with all appropriate information to accurately assess its consequences and make a right decision. A lack of information or the use of ambiguous terms from organizations which are collecting your consent may render it invalid. You can choose what is right for you only with clear, honest and detailed information.
Your consent does not only relate to the nature of the personal data that you authorize an organization to use, but also to the purpose of the processing it intends to perform. For example, you can authorize a company to use your email address to send you direct business offers, but refuse that this company shares the same email address with other partners for other business offers.
A clear and unambiguous act
Your consent must be collected through a clear act to be valid. In other words, a company can no longer obtain it by using a pre-ticked box, or deducting it from your inaction.
- In some cases, this process is even reinforced by the need for an explicit consent, which means yu must give an express statement of consent, for example :
- for the processing of “sensitive” data, such as your opinions or believes, your health data, or your sexual preferences ;
- if an organization is transferring data to a third party (except in the case of legal obligation or if that third-party is a subcontractor of the organization, in which cases you have other protections) ;
- for profiling, in other words when your data is analyzed to predict your behavior, to analyze your habits or anticipate your next actions. Those processings are based on automated algorithms.
Consent therefore involves total freedom: a free choice, made by an independent and informed person in a transparent and honest way. It cannot be valid if it is collected under constraint, because of incomplete or false information, or from a non-autonomous individual.
To find out which companies process your personal data on the legal basis of consent, you can easily exercise your right of access to your data by using the free Fair&Smart application.