When the DSGVO applied on 25 May 2018, confusion and chaos broke out. Suddenly, everything that somehow has to do with personal data seems to be forbidden. The solution to all problems promises consent by the data subject, because this allows said data to be processed again. But is this the right way to go, or is it perhaps the wrong way to go?
First of all, back to the DSGVO. On one point, the panic might be true: In principle, it is forbidden to process personal data. "In principle" means that there are of course some exceptions that allow processing. For example, data may be processed if a contract (e.g. sales contract) is to be fulfilled, the law requires it (e.g. tax data) or there is a legitimate interest in the processing (e.g. website for self-presentation). Others are listed in Art. 6 para. 1 DSGVO. If you still cannot find an exception, consent remains as a last resort.
Typical cases for a necessary declaration of consent are, for example, the publication of employee photos on the website or in social media channels, processing of health data, disclosure to third parties, registration for the newsletter, inclusion of application documents in an applicant pool, but also website tracking, profiling and third-country transfer by Google Analytics.
First of all, consent must be given on a voluntary basis. This means that the data subject must have a genuine and free choice and no disadvantage may arise if consent is not given. This also means that it must not be made dependent on the fulfilment of a contract (so-called prohibition of tying). Furthermore, it must be given in an informed manner and by an unambiguous act.
Informed means that the consenting person must be informed transparently about who processes what data for what purpose and for how long, and whether it can be passed on to third parties. It also follows from this requirement that consent may only be given for the individual case, i.e. not in a blanket manner. Furthermore, the rights of data subjects, including the right of revocation at any time, and possible risks in case of transfer to a third country without sufficient data protection (see also EU-US Privacy Shield) must be described in the declaration of consent. All this must be done in easily understandable language.
The clear action lies in an active action by the data subject. This can be a verbal declaration or the ticking of a box, which can be freely chosen. It is important to note that these boxes must not be ticked in advance (opt-out), as the consent is then invalid.
Consent does not have to be given in writing. However, it is advisable to give written consent or to keep a record of the consent given electronically in order to prove it to the supervisory authority. Therefore, keep the declaration of consent at least as long as the data processing continues. How long you keep it after revocation by the data subject usually depends on the data sensitivity and cannot be answered in general terms.
Declarations of consent are always given voluntarily and can be revoked or also refused at any time without reason. This means that data processing may be stopped or not started immediately, as the prohibition on data processing comes into play again. Continuing or starting processing could then result in a fine.
In companies, voluntariness is a contentious issue. Due to the strong imbalance of the contracting parties, special care must be taken to ensure that the employee does not suffer any disadvantage. Therefore, always choose a legal basis other than consent, if possible. Many data processing operations can be carried out, for example, on the basis of a contract or a company agreement. These two reasons show why the declaration of consent should be the last resort.
Add a comment