Article 7 GDPR: Difference between revisions
Line 224: | Line 224: | ||
First, it should be "distinguishable" from other statements. In data protection terms, this translates into a statement which clearly authorizes the controller to carry out a specific processing operation. Therefore, the request for consent "''should be highlighted by being placed in a frame or printed in a different font or colour - to name just a few options. The requirement is aimed at stopping the common practice whereby businesses include the text for consenting to processing of personal data in the fine print of agreements"''.<ref>''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref> | First, it should be "distinguishable" from other statements. In data protection terms, this translates into a statement which clearly authorizes the controller to carry out a specific processing operation. Therefore, the request for consent "''should be highlighted by being placed in a frame or printed in a different font or colour - to name just a few options. The requirement is aimed at stopping the common practice whereby businesses include the text for consenting to processing of personal data in the fine print of agreements"''.<ref>''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref> | ||
Second, | Second, a request for consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language. This means that even users with poor reading skills due to a low level of education or lack of language skills should understand the text and consciously express their consent.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 80 (Beck, 2nd edition 2018) (accessed 29 April 2021).</ref> It follows that if the data subject is not able to grasp the meaning of their declaration, the controller must provide further clarification.<ref>''Stemmer'', in BeckOK DatenschutzR, Article 7 GDPR, margin number 63 (Beck 2020, 36th ed.) (accessed 3 November 2021).</ref> Further, under Recital 42 and "''in accordance with Council Directive 93/13/EEC''" (the Unfair Contract Terms Directive or "UCTD"), the request must not contain unfair terms.<ref>However, according to ''Kosta'', the the reference to the UCTD in the recital is "problematic" because "[w]''hether and under which conditions a contract is formed'' [...] ''is an issue of national law and the answers to these questions differ significantly between civil law and common law countries''". See, ''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref> | ||
==== Failure to Meet the Requirements ==== | ==== Failure to Meet the Requirements ==== |
Revision as of 12:59, 3 November 2021
Legal Text
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Relevant Recitals
Commentary on Article 7
Article 7 GDPR regulates the "conditions for consent". It specifies the definition of consent set out in Article 4(11) GDPR and, by integrating Article 6(1)(a) GDPR, contributes in defining what legal requirements a valid consent should have. The provision also places the burden of proof on the controller for the existence of consent.
(1) Obligation to Provide Proof of Consent
Under Article 7(1) GDPR, the controller must demonstrate to have obtained a valid consent, including whether it was informed, freely given, unambiguous and specific. Scholars have convincingly noted that Article 7(1) does not provide for another consent requirement (say, "demonstrability") but rather creates a distribution of risks during a possible legal procedure. If, for example, the existence of an effective consent is disputed and the controller cannot provide evidence of this, it can be assumed that there is no consent.[1]
Since consent can be given through a "clear, affirmative act" (see Recital 32 GDPR) in the form of a written, electronic or oral declaration, data controllers are free with regard to the specific form of providing this evidence[2]. However, in practice, they will likely "need to keep a registry of acquired consents, as they will need to be able to demonstrate that consent has been obtained in situations where the data subject questions her or his provision of consent. In online environments, the consent provided should be logged". [3]
The elements contained in such registry may vary depending on the complexity of the processing. For instance, since pre-ticked boxes have been declared not unambiguous and therefore unlawful [4], controllers may need to implement consent confirmation systems that can demonstrate the clear intention of the user. An example could be the sending of an email to the data subject requiring him or her to click on a confirmation button (double opt-in). Once the user provides the confirmation, the associated token may be stored in the consent registry for future evidence purposes.[5]
(2) Consent Request in the Context of a Written Declaration
Article 7(2) applies when the communication between data subject and controller takes place in written form and it concerns other matters. In this case, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters. The provision ensures that the consent request is given appropriate prominence so to reduce the risk of consent being inadvertently given. To do so, Article 7(2) GDPR establishes layout and transparency requirements.
In the Context of a Written Declaration concerning other Matters
For the provision to apply, the communication between data subject and controller must meet two requirements. First, it must take occur in written form and, second, it must concern other matters. The provision does not apply in other cases.
The "written form" requirement is to be interpreted broadly. The electronic form is therefore at least also covered by this provision. Since data protection law is particularly important in a digital context and the legislator aimed to provide comprehensive protection for those affected, the provision can also be used in digital legal transactions.[6]
The communication must concern other matters. That is the case, for instance, of complex legal documents dealing with different types of processing and requiring different legal basis for each of them. If any of these processing activities relies upon consent, then the provision applies.
Request for Consent: Requirements
Historically, consent has been interpreted as the action through which subject "A" authorises subject "B" to perform a certain action "C". If the limits of the authorisation are unclear, the consent cannot be valid. For this reason, Recital 42 stipulates that where consent is given as part of a written declaration concerning other matters, safeguards should be provided to ensure that the data subject is aware of the meaning of their actions.
Article 7(2) provides for such safeguards and requires that the request for consent shall be (i) presented in a manner which is clearly distinguishable from the other matters and (ii) formulated in an intelligible and easily accessible way, using clear and plain language.
First, it should be "distinguishable" from other statements. In data protection terms, this translates into a statement which clearly authorizes the controller to carry out a specific processing operation. Therefore, the request for consent "should be highlighted by being placed in a frame or printed in a different font or colour - to name just a few options. The requirement is aimed at stopping the common practice whereby businesses include the text for consenting to processing of personal data in the fine print of agreements".[7]
Second, a request for consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language. This means that even users with poor reading skills due to a low level of education or lack of language skills should understand the text and consciously express their consent.[8] It follows that if the data subject is not able to grasp the meaning of their declaration, the controller must provide further clarification.[9] Further, under Recital 42 and "in accordance with Council Directive 93/13/EEC" (the Unfair Contract Terms Directive or "UCTD"), the request must not contain unfair terms.[10]
Failure to Meet the Requirements
If any part of the statement (provided by the controller to the data subject) does not meet the above-mentioned requirements or anyway "constitutes an infringement of this Regulation [it] shall not be binding". In data protection terms, this may easily translate into a violation of the lawfulness principle (the claimed legal basis is not present, see Articles 5(1)(a) and 6(1)(a) GDPR) and should bring to the immediate deletion of all the data collected.[11]
(3) Right to Withdraw Consent
Data subjects can withdraw their consent at any time and should be made aware of this right before granting consent. Withdrawal should be as easy as giving it; however, the withdrawal will not retroactively affect any processing based on the consent prior to its withdrawal.
Requirements for the Withdrawal
Article 7(3) GDPR clarifies that the withdrawal of consent must be as simple as the granting of consent. In the case of electronic declarations, revocation should be enabled via the same tool used to provide the consent.[12] In this perspective, a technical challenge could be the development of an appropriate revocation environment, especially if the person concerned does not have a user account through which they can adjust the privacy settings.[13]
Consequences of Withdrawal
The withdrawal has immediate effect and interrupts any consent-based data processing. The withdrawal has an effect on future data processing (ex nunc). According to a certain interpretation, if the person concerned wants to delete the data, they have to submit a clear request in that sense under Article 17(1)(b) GDPR.[14]
(4) Free Nature of Consent
The data subject must have a free choice and be able to refuse or withdraw consent without suffering disadvantages. Any potential imbalance of power shall be analysed on a case by case basis (see also Article 6 GDPR).
Decisions
→ You can find all related decisions in Category:Article 7 GDPR
References
- ↑ See Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 68 (Beck, 2nd edition 2018) (accessed 29 April 2021) who explains the dynamic in this way: "Da die Vorschrift zwar die Pflicht eines Nachweises aufstellt, allerdings an einen möglichen Verstoß keine unmittelbare Rechtsfolge anknüpft, stellt diese Regelung keine Bedingung dar, sondern ist vielmehr eine Risikoverteilungsregelung".
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 71 (Beck, 2nd edition 2018) (accessed 29 April 2021). This requirement leaves room for various forms of demonstrations, although of course it only applies to those consent obtaining mechanisms which can be proven. It is clear, however, that the stricter the intended form of consent is, the easier it will be to provide evidence about it
- ↑ Kosta, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).
- ↑ CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available here)
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 69 (Beck, 2nd edition 2018) (accessed 29 April 2021).
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 77 (Beck, 2nd edition 2018) (accessed 29 April 2021).
- ↑ Kosta, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 80 (Beck, 2nd edition 2018) (accessed 29 April 2021).
- ↑ Stemmer, in BeckOK DatenschutzR, Article 7 GDPR, margin number 63 (Beck 2020, 36th ed.) (accessed 3 November 2021).
- ↑ However, according to Kosta, the the reference to the UCTD in the recital is "problematic" because "[w]hether and under which conditions a contract is formed [...] is an issue of national law and the answers to these questions differ significantly between civil law and common law countries". See, Kosta, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 83 (Beck, 2nd edition 2018) (accessed 29 April 2021).
- ↑ For example, it is reasonable to conclude that if a consent is given through a cookie banner, it should be possible to withdraw it through the same banner.
- ↑ In this sense Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 91 (Beck, 2nd edition 2018) (accessed 29 April 2021).
- ↑ Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 92 (Beck, 2nd edition 2018) (accessed 29 April 2021).