General Data Protection Regulation (GDPR) Series, Part #3: GDPR Consent and Fair Processing

by Robinson+Cole Data Privacy + Security Insider

[: Graf von Westphalen]

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next several months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part 3 of this GDPR Series is brought to you by the German law firm of Graf von Westphalen. Other blog entries in this series will be brought to you by the law firms of Mills & Reeve (UK), FIDAL (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).

 Consent as a lawful basis for data-processing

Every data processing activity requires a lawful basis. Such lawful basis may be provided directly by law, or by consent granted by the data subject, both according to the statutory requirements set out in the Directive 95/46/EC and, importantly, national data protection laws. This general principle remains unchanged under the GDPR, however, the new Regulation provides for new or additional requirements for such consent to be a lawful basis for processing and transfer of personal data.

 Pre-requisites for valid consent – Fair processing notices

First, the GDPR requires that any consent of the data subject regarding the use of its personal data must be “freely given, specific, informed and unambiguous” and, in comparison to the Directive, it puts additional hurdles in front of the controller seeking consent: The consent must be specific to the respective data-processing action and therefore needs to be “clearly distinguishable” from any other matters that may be covered in the same document, Article 7 (2). And Article 7 (4) and Recital 43 make it clear that a consent is not given freely if the performance of a contract or provision of the service is made conditional upon such consent, or if there is “a clear imbalance between the data subject and the controller”. Further, Article 7 (3) requires that the data subject is given the right to withdraw its consent at any time and as easily as giving it, and the right to have their personal data erased and so removed from further processing, Article 17.

Second, these requirements come with the strict obligation of the controller to fully inform the data subject on the relevant issues and their rights before the consent is given. As already required under the Directive, the individual must be informed about the categories of personal data to be processed, the purposes and term of processing, the identity of the controller and any possible recipients of the data. The lack of transparent, complete and timely information would make the consent invalid.

Third, the GDPR requires the data subject to signal its consent by “a statement or clear affirmative action”. Thus, where under the Directive 95/46/EC controllers could rely on implicit or “opt-out” consent, the GDPR requires that the consent must be expressed “by a statement or by a clear affirmative action”, see Article 4 (11). As long as the individual’s consent is clearly indicated, such action might consist of “choosing technical settings for information society services” or “another statement or conduct”, including, e.g., ticking a box on a website, see Recital 32 of the Regulation. But, silence, inactivity, or pre-ticked boxes will no longer serve as valid consent by the data subject.

 Where explicit consent is one of the possible grounds for compliance

The GDPR extends the definition of special categories of personal data that are particularly sensitive “in relation to fundamental rights and freedoms” of the individual and require “specific protection”, see Article 9. Besides those already mentioned under the existing Directive, like information on racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the GDPR in Article 4 also includes genetic data, biometric data, and data on the individual’s sexual orientation. The processing of those sensitive data in each case requires “explicit” consent, probably excluding consent by the individual’s conduct or use of technical settings.

The same will apply under the GDPR with regard to consent required from children. Article 8 sets out the default position that children may only give consent in relation to online services without parental authorization from the age of 16. However, the Regulation allows member states to deviate from that rule, as long as the minimum age is not below 13 years. Explicit consent may also be required where the controller plans to make decisions about the data subject based solely on automated processing, including profiling (Article 22) or where the personal data is transferred to countries which do not provide a level of protection assessed as adequate (Article 49).

 Burden of proof and administrative penalties

It goes without saying that the controller bears the burden of proof that the above requirements for a valid consent are complied with, and this may itself result in increased costs and administrative burdens for the controller. And the maximum fines for violations of these requirements range from €10 million to €20 million, or 4% of global turnover if greater.

 What has to be done to be compliant

The changes from Directive 95/46/EC to GDPR discussed in this article will mostly affect organizations that rely on the data subject’s consent as a lawful basis. (In many situations, of course, it will be more appropriate to rely on one of the alternative grounds for processing, such as legitimate interests.) They will have to thoroughly review the consent mechanisms they have in place to ensure that the information duties are fully complied with by valid fair processing notices, that the consent mechanisms are appropriate to the nature of the consent being sought, that consent is clearly “opt-in” and freely given even where the data subject is in a state of dependency, e.g. with employees, and that the consent can be withdrawn easily. Note that until detailed guidance is issued by the grouping of data regulators, WP29, it is unclear how far consent will be available at all within an employer/employee or similar relationship. Finally, consent given in the past might well not be compliant with the new requirements and the controller may therefore need to seek new consents, potentially resulting in considerable work load.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.