Declaration of consent according to DSGVO: What you need to bear in mind

Björn Holeschak, Leiter Datenschutz EIKONA Systems GmbH
A picture of a smartphone can be seen in the foreground.

When the DSGVO applied on 25 May 2018, confusion and chaos broke out. Suddenly, everything that somehow has to do with personal data seems to be forbidden. The solution to all problems promises consent by the data subject, because this allows said data to be processed again. But is this the right way to go, or is it perhaps the wrong way to go?

Why is a consent form necessary at all?

First of all, back to the DSGVO. On one point, the panic might be true: In principle, it is forbidden to process personal data. "In principle" means that there are of course some exceptions that allow processing. For example, data may be processed if a contract (e.g. sales contract) is to be fulfilled, the law requires it (e.g. tax data) or there is a legitimate interest in the processing (e.g. website for self-presentation). Others are listed in Art. 6 para. 1 DSGVO. If you still cannot find an exception, consent remains as a last resort.

Typical cases for a necessary declaration of consent are, for example, the publication of employee photos on the website or in social media channels, processing of health data, disclosure to third parties, registration for the newsletter, inclusion of application documents in an applicant pool, but also website tracking, profiling and third-country transfer by Google Analytics.

How must a declaration of consent be drafted?

First of all, consent must be given on a voluntary basis. This means that the data subject must have a genuine and free choice and no disadvantage may arise if consent is not given. This also means that it must not be made dependent on the fulfilment of a contract (so-called prohibition of tying). Furthermore, it must be given in an informed manner and by an unambiguous act.

Informed means that the consenting person must be informed transparently about who processes what data for what purpose and for how long, and whether it can be passed on to third parties. It also follows from this requirement that consent may only be given for the individual case, i.e. not in a blanket manner. Furthermore, the rights of data subjects, including the right of revocation at any time, and possible risks in case of transfer to a third country without sufficient data protection (see also EU-US Privacy Shield) must be described in the declaration of consent. All this must be done in easily understandable language.

The clear action lies in an active action by the data subject. This can be a verbal declaration or the ticking of a box, which can be freely chosen. It is important to note that these boxes must not be ticked in advance (opt-out), as the consent is then invalid.

Consent does not have to be given in writing. However, it is advisable to give written consent or to keep a record of the consent given electronically in order to prove it to the supervisory authority. Therefore, keep the declaration of consent at least as long as the data processing continues. How long you keep it after revocation by the data subject usually depends on the data sensitivity and cannot be answered in general terms.

Why should the declaration of consent be the last resort?

Declarations of consent are always given voluntarily and can be revoked or also refused at any time without reason. This means that data processing may be stopped or not started immediately, as the prohibition on data processing comes into play again. Continuing or starting processing could then result in a fine.

In companies, voluntariness is a contentious issue. Due to the strong imbalance of the contracting parties, special care must be taken to ensure that the employee does not suffer any disadvantage. Therefore, always choose a legal basis other than consent, if possible. Many data processing operations can be carried out, for example, on the basis of a contract or a company agreement. These two reasons show why the declaration of consent should be the last resort.

Björn Holeschak
Björn Holeschak
Team Lead, Data Protection

Drawing on his profound data protection expertise, he tackles data protection challenges with renewed vigor every single day. He understands the dangers and stumbling blocks in intimate detail and gives customers practical advice.

Add a comment

Please calculate 3 plus 9.