Difference between revisions of "Article 7 GDPR"

From GDPRhub
 
(3 intermediate revisions by the same user not shown)
Line 220: Line 220:
 
==Commentary==
 
==Commentary==
  
Article 7 specifies in more detail the definition of the terms set out in [[Article 4 GDPR|Article 4]] and supplements [[Article 6 GDPR#1a|Article 6(1)(a)]] to meet the formal and legal requirements for valid consent in the data protection context. The conditions for consent to be given, as defined in Article 7, are based on preliminary work by the CJEU and the Article 29 Working Party, as well as on Member State law.    
+
=== Overview ===
 +
Article 7 regulates the ''"conditions for consent"''. It specifies the definition of consent set out in [[Article 4 GDPR|Article 4]] and, by integrating [[Article 6 GDPR#1a|Article 6(1)(a)]], contributes in defining what legal requirements a valid consent should have. The provision also places the burden of proof ''on'' the data controller for the existence of consent.      
  
===Obligation to provide proof of consent===
+
===Obligation to provide proof of consent (Article 7(1) GDPR)===
  
The obligation to provide proof under Article 7(1) is a measure of transparency. The duty of proof reminds the controller of the central position and the effect of consent and protects it at the same time against subsequent allegations that consent was not given.
+
Under Article 7(1) GDPR, the controller must demonstrate to have obtained a valid consent. However, there is no direct legal sanction linked to a possible violation''.'' If, for example, the existence of an effective consent is disputed and the controller cannot provide evidence of this, it can be assumed that there is no consent. <ref>See, ''Heckmann, Paschke,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 68 (Beck, 2nd edition 2018) (29.4.2021) who explains the dynamic in this way: "Da die Vorschrift zwar die Pflicht eines Nachweises aufstellt, allerdings an einen möglichen Verstoß keine unmittelbare Rechtsfolge anknüpft, stellt diese Regelung keine Bedingung dar, sondern ist vielmehr eine ''Risikoverteilungsregelung''".</ref>
  
The burden of proof presupposes that the processing is "based" on consent. In this respect, it must be clear to both the controller and the data subject that no other legal basis applies to the data processing.  
+
Therefore, the controller bears the burden of proof for the existence of an (effective and valid) declaration of consent. This requirement leaves room for various forms of consent, although of course it only applies to those consent obtaining mechanisms which can be proven. Consent can be given through a ''clear, affirmative act'' (see Recital 32) in the form of a written, electronic or oral declaration. It is clear, however, that the stricter the intended form of consent is, the easier it will be to provide evidence about it. <ref name=":0">''Heckmann, Paschke,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 69 (Beck, 2nd edition 2018) (29.4.2021)</ref>
  
The proof is an obligation of the controller.
+
===Layout requirements in the case of connection with another matter (Article 7(2) GDPR)===
  
===Layout requirements in the case of connection with another matter===
+
The principle of separation laid down in Article 7(2) ensures that consent is truly informed (see [[Article 6 GDPR#1a|Article 6(1)(a)]] GDPR) and not inadvertently given. To do so, Article 7(2) establishes layout requirements for the consent expressed in written form ("''in the context of a written declaration''"). 
  
The principle of separation laid down in Article 7(2) ensures that consent is truly informed (see [[Article 6 GDPR#1a|Article 6(1)(a)]]) not given incidentally. In this regard, this provision acts also as a consumer protection. The layout requirement of Article 7(2) sentence 1 is aimed at making sure that the specific request for consent as such, isolated, is seen by the data subject without further effort. The warning and information function applies also with regard to the legal consequences of consent. Making sure that consent forms are not bundled guarantees more control for the data subject when deciding to give consent.  
+
==== Written form ====
 +
The ''written form'' requirement is to be interpreted broadly. The electronic form is therefore at least also covered by this provision. Since data protection law is particularly important in a digital context and the regulation giver aimed to provide comprehensive protection for those affected, the provision can also be used in digital legal transactions.  
  
===Right to withdraw consent===
+
==== Requirements ====
 +
First, it should be "distinguishable" from other statements. Historically, consent has been interpreted as the action through which subject "A" authorizes subject "B" to perform a certain action "C". If the limits of the authorization are unclear, the consent cannot be valid. In data protection terms, this translates into a statement which clearly authorizes the controller to carry out a specific processing operation.
 +
 
 +
Second, it should be formulated in clear and simple language. This means that even users with poor reading skills due to a low level of education or lack of language skills can understand the text and consciously express their consent. <ref>''Heckmann, Paschke,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 80 (Beck, 2nd edition 2018) (accessed 29.4.2021)</ref> The warning and information function applies also with regard to the legal consequences of consent. Making sure that consent forms are not bundled guarantees more control for the data subject when deciding to give consent.
 +
 
 +
==== Failure to meet the requirements ====
 +
If any part of the statement (provided by the controller to the data subject) does not meet the above-mentioned requirements or anyway "''constitutes an infringement of this Regulation'' [it] ''shall not be binding''". In data protection terms, this may easily translate into a violation of the lawfulness principle (the claimed legal basis is not present --> Article 6(1)(a) GDPR) and should bring to the immediate deletion of all the data collected. <ref>''Heckmann, Paschke,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 83 (Beck, 2nd edition 2018) (accessed 29.4.2021)</ref>
 +
 
 +
===Right to withdraw consent (Article 7(3) GDPR)===
  
 
The data subject can withdraw their consent at any time and should be made aware of this right before granting consent. Withdrawal should be as easy as giving it; however, the withdrawal will not retroactively affect any processing based on the consent prior to its withdrawal.   
 
The data subject can withdraw their consent at any time and should be made aware of this right before granting consent. Withdrawal should be as easy as giving it; however, the withdrawal will not retroactively affect any processing based on the consent prior to its withdrawal.   
  
The data subject needs only provide the minimum amount of personal information needed to identify and authenticate them to successfully revoke their consent.  
+
==== Requirements for the withdrawal ====
 +
Article 7(3) clarifies that the withdrawal of consent must be as simple as the granting of consent. In the case of electronic declarations, revocation should be enabled via the same tool used to provide the consent. <ref>For example, it is reasonable to conclude that if a consent is given through a cookie banner, it should be possible to withdraw it through the same banner.</ref> In this perspective, a technical challenge could be the development of a the appropriate revocation environment, especially if the person concerned does not have a user account through which he/she can adjust the privacy settings. <ref>In this sense, ''Heckmann, Paschke,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 91 (Beck, 2nd edition 2018) (accessed 29.4.2021)</ref>
 +
 
 +
==== Consequences of withdrawal ====
 +
The withdrawal has immediate effect and interrupts any consent-based data processing. The withdrawal  ''ex nunc'' for future data processing. According to a certain interpretation, if the person concerned wants to delete the data, they have to submit a clear request in that sense under Article 17(1)(b) GDPR. <ref>''Heckmann, Paschke,'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 92 (Beck, 2nd edition 2018) (accessed 29.4.2021)</ref>
  
===Free nature of consent===
+
===Free nature of consent (Article 7(4) GDPR)===
  
The data subject must have a free choice and be able to refuse or withdraw consent without suffering disadvantages.  Any potential imbalance of powers shall be analysed on a case by case basis. (See also [[Article 6 GDPR#1a|Article 6]].)
+
The data subject must have a free choice and be able to refuse or withdraw consent without suffering disadvantages.  Any potential imbalance of powers shall be analysed on a case by case basis. (See also [[Article 6 GDPR#1a|Article 6]]).
  
 
==Decisions==
 
==Decisions==

Latest revision as of 13:26, 29 April 2021

Article 7: Conditions for consent
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]

Article 7: Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Relevant Recitals[edit | edit source]

Recital 32

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Recital 33

It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

Recital 42

Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital 43

In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Commentary[edit | edit source]

Overview[edit | edit source]

Article 7 regulates the "conditions for consent". It specifies the definition of consent set out in Article 4 and, by integrating Article 6(1)(a), contributes in defining what legal requirements a valid consent should have. The provision also places the burden of proof on the data controller for the existence of consent.

Obligation to provide proof of consent (Article 7(1) GDPR)[edit | edit source]

Under Article 7(1) GDPR, the controller must demonstrate to have obtained a valid consent. However, there is no direct legal sanction linked to a possible violation. If, for example, the existence of an effective consent is disputed and the controller cannot provide evidence of this, it can be assumed that there is no consent. [1]

Therefore, the controller bears the burden of proof for the existence of an (effective and valid) declaration of consent. This requirement leaves room for various forms of consent, although of course it only applies to those consent obtaining mechanisms which can be proven. Consent can be given through a clear, affirmative act (see Recital 32) in the form of a written, electronic or oral declaration. It is clear, however, that the stricter the intended form of consent is, the easier it will be to provide evidence about it. [2]

Layout requirements in the case of connection with another matter (Article 7(2) GDPR)[edit | edit source]

The principle of separation laid down in Article 7(2) ensures that consent is truly informed (see Article 6(1)(a) GDPR) and not inadvertently given. To do so, Article 7(2) establishes layout requirements for the consent expressed in written form ("in the context of a written declaration").

Written form[edit | edit source]

The written form requirement is to be interpreted broadly. The electronic form is therefore at least also covered by this provision. Since data protection law is particularly important in a digital context and the regulation giver aimed to provide comprehensive protection for those affected, the provision can also be used in digital legal transactions.

Requirements[edit | edit source]

First, it should be "distinguishable" from other statements. Historically, consent has been interpreted as the action through which subject "A" authorizes subject "B" to perform a certain action "C". If the limits of the authorization are unclear, the consent cannot be valid. In data protection terms, this translates into a statement which clearly authorizes the controller to carry out a specific processing operation.

Second, it should be formulated in clear and simple language. This means that even users with poor reading skills due to a low level of education or lack of language skills can understand the text and consciously express their consent. [3] The warning and information function applies also with regard to the legal consequences of consent. Making sure that consent forms are not bundled guarantees more control for the data subject when deciding to give consent.

Failure to meet the requirements[edit | edit source]

If any part of the statement (provided by the controller to the data subject) does not meet the above-mentioned requirements or anyway "constitutes an infringement of this Regulation [it] shall not be binding". In data protection terms, this may easily translate into a violation of the lawfulness principle (the claimed legal basis is not present --> Article 6(1)(a) GDPR) and should bring to the immediate deletion of all the data collected. [4]

Right to withdraw consent (Article 7(3) GDPR)[edit | edit source]

The data subject can withdraw their consent at any time and should be made aware of this right before granting consent. Withdrawal should be as easy as giving it; however, the withdrawal will not retroactively affect any processing based on the consent prior to its withdrawal.

Requirements for the withdrawal[edit | edit source]

Article 7(3) clarifies that the withdrawal of consent must be as simple as the granting of consent. In the case of electronic declarations, revocation should be enabled via the same tool used to provide the consent. [5] In this perspective, a technical challenge could be the development of a the appropriate revocation environment, especially if the person concerned does not have a user account through which he/she can adjust the privacy settings. [6]

Consequences of withdrawal[edit | edit source]

The withdrawal has immediate effect and interrupts any consent-based data processing. The withdrawal ex nunc for future data processing. According to a certain interpretation, if the person concerned wants to delete the data, they have to submit a clear request in that sense under Article 17(1)(b) GDPR. [7]

Free nature of consent (Article 7(4) GDPR)[edit | edit source]

The data subject must have a free choice and be able to refuse or withdraw consent without suffering disadvantages. Any potential imbalance of powers shall be analysed on a case by case basis. (See also Article 6).

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 7 GDPR

References[edit | edit source]

  1. See, Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 68 (Beck, 2nd edition 2018) (29.4.2021) who explains the dynamic in this way: "Da die Vorschrift zwar die Pflicht eines Nachweises aufstellt, allerdings an einen möglichen Verstoß keine unmittelbare Rechtsfolge anknüpft, stellt diese Regelung keine Bedingung dar, sondern ist vielmehr eine Risikoverteilungsregelung".
  2. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 69 (Beck, 2nd edition 2018) (29.4.2021)
  3. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 80 (Beck, 2nd edition 2018) (accessed 29.4.2021)
  4. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 83 (Beck, 2nd edition 2018) (accessed 29.4.2021)
  5. For example, it is reasonable to conclude that if a consent is given through a cookie banner, it should be possible to withdraw it through the same banner.
  6. In this sense, Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 91 (Beck, 2nd edition 2018) (accessed 29.4.2021)
  7. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, Margin number 92 (Beck, 2nd edition 2018) (accessed 29.4.2021)