Authors: Judith Rauhofer and Burkhard Schafer
(11) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
I. General overview
-
Substantive elements of consent
Consent is one of the legal grounds set out in Art. 6 para. 1, on which the controller can base the processing of personal data (→ mn. 19), and (when ‘explicit’) one of the exceptions in Art. 9 para. 2, upon which the controller can rely to justify the processing of special categories of personal data (→ mn. 39). Consent can also have the effect of limiting the data subjects’ rights under the GDPR. For example, the right not to be subject to a decision based solely on automated processing (Art. 22 para. 1) does not apply where such a decision is based on explicit consent (Art. 22 para. 2 lit. c, → mn. 36). Moreover, transfers of personal data to countries outside the EU are permitted based on explicit consent, even in the absence of a finding of adequacy with regard to the relevant country (Art. 45 para. 3) and appropriate safeguards (Art. 46), provided that the controller has informed the data subject about the possible risks of such transfers.[1] It is recalled and stressed that consent under Art. 9 para. 2 lit. a, Art. 22 para. 2 and Art. 49 para. 1 lit. a must be explicit, whereas under Art. 6 para. 1 lit. a ‘simple’ consent will suffice.
Consent is defined in Art. 4 point 11 as the freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her. For consent to be valid, all these constitutive elements need be cumulatively met. In the absence of any of them, consent is invalid and the processing is unlawful, save where the controller can rely upon another legal ground of Art. 6 para. 1 lit. b to f. Art. 7 contains additional formalities regarding the granting of consent as well as the right to withdraw consent[2] Art. 8 imposes specific obligations on controllers where consent is used to authorise personal data processing “in relation to the offer of information society services directly to a child”.
-
Capacity to consent
Like DPD, the GDPR does not include specific provisions on who is deemed to have the legal capacity to give consent. This absence of clear conditions has resulted in the adoption by Member States of various approaches to the conditions an individual must meet to be able to give valid consent. Affected persons meriting special protection include children as well as other individuals with a limited ability to understand and make informed decisions about the types of data that can be processed, the types of processing operations that can be carried out and the purposes of the processing. Although the Art. 29 WP remarked that “both children and other individuals lacking full capacity would be better protected if the Directive contained additional provisions, specifically addressed to the collection and further processing of their data”,[3] the GDPR only includes limited provisions dealing with the processing of children’s data. Art. 8 includes specific conditions applicable to a child’s consent in relation to information society services. However, it remains silent on children’s consent in other contexts and the ability of other vulnerable individuals to grant valid consent in generalIt is likely that, in the absence of specific rules on the legal capacity under the GDPR, Member States will rely upon provisions governing legal capacity in a general or contract law context.
-
Timing of consent
The DPD was silent on the timing of consent. This led to different interpretations by regulators and Member States of whether controllers must obtain consent before starting the processing or whether it is sufficient to obtain consent later. In the past, some Member States have argued that the absence of a clear prescription in the definition of consent made it possible that consent may still be given after or during the processing.[4]
The wording of Art. 6 para. 1 lit. a, which refers to consent that the data subject “has given,” now implies that consent as a legal basis must be present before the processing starts (→ mn. 19).[5] Any processing carried out before consent has been obtained is therefore unlawful, except where another legal ground (Art. 6 para. 1) can legitimise the processing.
[…]
[1]Art. 49 para. 1 lit. a, → mn. 8.
[2]Art. 7 para. 3, → mn. 33.
[3]Art. 29 WP, Opinion 15/2011 on the definition of consent, WP 187, 13 July 2011, section III.A.5.
[4]E.g., the UK government claimed that, in the absence of a clear requirement in the definition itself, consent was “not time-bound” and that there was, therefore, no constraint on when consent could be obtained, see Department for Culture, Media and Sport, “Open letter on the UK implementation of Art. 5 (3) of the e-Privacy Directive on cookies”, 24 May 2011.
[5]E.g., the EDPB argues that this interpretation is “clearly implied” from the heading of Art. 6 para. 1 and the wording of Art. 6 para. 1 point (a) and that it “follows logically from Art. 6 and Recital 40 that a valid lawful basis must be present before starting a data processing,” cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, para. 90. Even before the adoption of the GDPR, the Art. 29 WP had consistently held that consent should be obtained prior to the start of the processing; see, e.g., Art. 29 WP, Opinion 15/2011, section III.B.3; Opinion 2/2010 on online behavioural advertising, WP 171, 22 June 2010, section 4.1.