Consent of the data subject
Consent is one possible legal basis for processing personal data. Consent gives the data subjects the opportunity to monitor the processing of their personal data and influence it by withdrawing their consent.
Requirements for consent
For consent to be valid, it must be a
- freely given, and
- unambiguous indication of the data subject's wishes.
Data subjects can give their consent for predefined, specific and lawful purposes. If the purpose of processing personal data changes, you need to ask for a new consent before starting processing.
Specifying the consent
When you are asking for consent, you need to specify the purpose for which data is being collected. If you process personal data for several purposes, data subjects must be able to choose the purposes for which they wish to give their consent. You have to ask for consent separately for each purpose. As a rule, you are always required to ask for consent when you start processing personal data for a new purpose.
Freely given consent
Consent is not genuinely freely given if the data subject is in a vulnerable position in relation to the controller. Data subjects can be in a vulnerable position when, for example, the controller is their employer or an authority.
Data subjects must be able to refuse consent and withdraw it without any detrimental consequences. It shall be as easy to withdraw consent as to give it.
Accountability and consideration of the principles of data protection
You have to be able to demonstrate that the data subjects have given their consent to the processing of personal data, and that the consent given fulfils the legal requirements.
Consent can never override the principles of data protection. For example, you cannot collect data more extensively than necessary for the stated purpose or deviate from the obligation to protect personal data.
Asking for consent
Consent is an unambiguous and clear expression of the data subject's wishes, by which he or she accepts the processing of his or her personal data. Data subjects cannot give their consent through silence, pre-ticked boxes or inactivity.
If you request consent electronically, the request must be clear and concise and may not needlessly disrupt the use of the service. For example, ticking a box on a website is a sufficiently unambiguous and clear expression of wishes.
- separately from other information
- in clear and plain language and
- in an intelligible form.
What do you need to tell data subjects when asking for consent?
When asking for the consent of data subjects for the processing of personal data, you are required to inform them of, at minimum,
- the controller or controllers (joint controllers) and any other parties to whom the data will be disclosed
- all of the specific purposes for which the consent is being requested
- what data will be collected from the data subject
- the data subject's right to withdraw consent
- the use of the data for automated individual decision-making and profiling and
- the risks of data transfer to countries outside the EU, if a decision on the adequate level of data protection in the country has not been given and appropriate safeguards have not been implemented.
It is not necessary to identify the processors that will process the personal data on behalf of the controller when asking for consent. In connection with asking for consent, however, you also need to take the more general obligation to provide information and the information you will need to provide when collecting personal data from the data subjects. The general obligation to provide information requires the recipients of the data to be specified, including the processors working on behalf of the controller.
When will I require the data subject’s specific consent for processing personal data?
Specific consent can be used as a legal basis when
- you are processing special categories of personal data (such as health information or ethnic origin)
- you are transferring personal data to third countries or international organisations
- your processing includes automated individual decision-making or profiling.
The requirement of specificity refers to the manner in which data subjects express their consent. Examples of specific consent include signing a written statement, giving an electronic signature or through two-factor authentication. For instance, the data subject could first reply to your e-mail, after which he or she will be sent a confirmation link or code by SMS.
Your obligations as a controller increase with the risks involved in the processing of personal data.
Withdrawal of consent
Before the data subject gives his or her consent, the controller must inform the data subject of
- the right to withdraw consent; and
- how consent can be withdrawn in practice.
It shall be as easy to withdraw consent as to give it. The consent can be withdrawn at any time, for free.
If a data subject withdraws his or her consent, you will be required to stop processing his or her personal data insofar as the processing has been based on consent. Inform data subjects of all bases for processing, so that they will know how the withdrawal of consent will affect the processing of their personal data.
Unless there is another legal basis for continuing to store the data processed on the basis of consent, erase it after consent has been withdrawn. When the processing of personal data has ended, keep the proof of consent only for as long as necessary for the establishment, exercise or defence of legal claims.
Processing the personal data of children on the basis of consent
According to data protection legislation, children usually need the consent or authorisation of their custodian or other person with parental responsibility in order to use information-society services, such as social media and various applications. An age limit of 13 years has been proposed in Finland. However, children may use counselling and support services and preventive services without the consent of their custodians.
Seek to determine the age of the child and verify that the consent has been given by a child over the age limit or the child's custodian. Evaluate the authentication measures related to the giving of consent in relation to the nature and risks of processing. If you are asking children to give their consent, pay particular attention to clear and plain language.
The consent given by the child's custodian does not lapse automatically when the child is old enough to give his or her consent to the use of information-society services. However, the child may withdraw his or her consent after reaching the age specified in the law and, as the controller, you are required to inform the child of this possibility.
Does the consent you have asked correspond to the requirements of the new data protection legislation?
If you are a controller and are processing personal data on the basis of consent, evaluate whether the consent you have requested in the past corresponds to the requirements of the General Data Protection Regulation.
Please note that the consent must be
- documented for the sake of accountability
- unambiguous, so a pre-ticked box or not making a choice do not meet the requirements of consent
- for a predefined, specific and legal purpose
- as easy to withdraw as to give and
- in line with the GDPR with regard to its administration.
The changes to the obligation to provide information brought by the GDPR do not automatically render previously obtained expressions of consent invalid. The GDPR also requires you to inform data subjects of the basis of processing.
If the consent does not correspond to the requirements of the GDPR, evaluate
- whether you will be able to ask for new consent that complies with the requirements of the GDPR and
- whether the processing could be based on a different basis provided for in the GDPR.
Ensure that the principles of legality, fairness and transparency are implemented if you continue processing with another basis. The data subject must be informed of changes to the processing basis. It will not be possible to change the processing basis any more once the GDPR has entered into force.
If you cannot base the processing on another legal basis or request a new consent in compliance with the requirements of the GDPR, you will have to stop processing the personal data.