Consent to the processing of GDPR data: a detailed analysis

The GDPR (or “Regulations”) contains several grounds for the processing of personal data. These grounds can be divided into two large groups. This processing is based on the personal consent of the carrier (owner) of personal data, and processing on other grounds. This article discusses the conditions for the correct registration of consent to the processing of personal data, and does not affect the features of processing for other reasons.

The article is a brief summary and my interpretation of the Guidelines by agreement in accordance with Regulation 2016/679 (Guidelines for consent under Regulation 2016/679) (“Guidelines”) and some documents referenced in the Guidelines.

How to make

Consent to the processing of personal data is a security tool that gives your company the freedom (albeit limited) in the field of handling personal data.

There are basic conditions that must comply with the consent to the processing of personal data. Failure to comply with any of them may lead to a situation where the obtained consent will be fully or partially invalid, and your company - under the threat of fines.

GDPR fines for incorrectly agreed consent: up to EUR 20 million or 4% of the company's global turnover in the previous financial year, whichever is higher (Article 83 (5) (a) of the Regulations).

The four basic conditions for a well-formed consent are: consent is given freely , is concrete , informed, and expressed unequivocally . Additional, fifth condition: consent must be explicitly expressed under special circumstances.

Consider each of the conditions in more detail.

Consent is given freely

Consent is considered to be free if the owner of personal data has a real choice, whether to give it or not, and under what conditions. To determine the degree of freedom, the following criteria are applied: bindings to conditions, imbalances of opportunities (or powers) between the data owner (an individual) and the controller (those who process them); the possibility of fragmentation of the objectives for which consent is given; negative consequences of failure to give consent.

Binding to conditions

The consent is not free if the consent is a part of the contract that is not negotiable or modified by the data owner. The processed data is not necessary for the provision of services or the conclusion (execution) of the contract. Without the consent of the person can not get the basic service, enter into or execute the contract. Or the service will be rendered in a truncated form, under worse conditions (for example, limited functionality).

If the contract allows for discussion or amendment of its terms, placing the text of the consent in the text of the contract together with other information is still considered an incorrect way of informing about the request for consent. For details, see Consent is informed .

Example from the Guide : The photo editing service asks for consent to the processing of geolocation data on the person’s location. The service notifies the user that location data is collected in order to study user behavior and promote products and services. It is obvious that the editing service itself does not require the collection of geolocation data, and in this case, the consent given may be invalidated.

In my opinion, exceptions are permissible in the situation described above. Geolocation data for a photo processing service may be included in the agreement if a separate photo editing service is provided with reference to the area in which the photo was taken. Imagine that it is interesting to the user that the service itself indicates in the photograph the exact name of the area where it was taken. This is possible in real time (automatic editing at the time of the snapshot) or the user agrees that the service will memorize the place where the photo was taken and then suggest the name of the area to be edited.

In all cases when it is planned to process data that goes beyond the bounds explicitly and unambiguously necessary for providing a service or concluding / executing a contract, such processing should be associated with the provision of an additional service. Disagreement with the processing of additional data not needed for the operation of the main service can only lead to the impossibility of using the additional service, but not the main one.

Imbalance of opportunity

In a more advantageous position are always the authorities and similar structures. An imbalance of opportunity is present in the relationship of the employer and the employee. Regulations and Guidelines consider a person who gives consent as initially being in unequal conditions. If your company employs a private person from the European Union (in any form), it is necessary to take his consent to the processing of personal data very seriously. This is especially true for companies that actively use the transfer of employees to offices in EU countries. Such companies should bear in mind that their employees from Russia, Ukraine or other CIS countries, getting a legal status for staying in the EU, automatically fall under the protection of the rules of GDPR.

Example: Often used for programmers (and other remote employees) way to record working time through regular screenshots from the monitor. To exclude or at least minimize the risk of forcing an employee to agree to track data from his screen, it is advisable to include a condition on monitoring working time through screen data in any contract with such employee or independent executor (contractor). In this case, the processing of the received data will no longer be carried out on the basis of consent, but on another legitimate basis - the need to fulfill the concluded contract (Article 6 (1) (b) of the Regulations).

If this condition is not included in the contract for any reason, then when obtaining the consent of your employee, it will be necessary to substantiate that this practice is widespread among employers: Conclusion 15/2011 on determination of consent / Opinion 15/2011 on the definition of consent. With all the evidence for you of this fact, it is not guaranteed that in a conflict the supervisory authority will not require any documentary evidence of this practice.

In accordance with the European Union Law, the conclusions do not apply to legally binding norms. However, they contain specific examples and interpretations of the Rules of the Regulation. The conclusions provide all participants in the processing of personal data to individuals and EU states with a unified approach to the application of the standards of GDPR. (Even if the conclusions were issued before the adoption of the GDPR, they served as the basis for the development of the Regulations and can be taken into account by the regulatory authorities and the courts).

I would recommend always discussing monitoring issues in advance with an employee. It is advisable to make sure that the use of screenshots will not be forced for him and will not affect the random collection of any personal data that is not required to perform the work under the contract.

Example: An employee is forced to use a personal computer not only to work for your company, but, say, to monitor a disabled or elderly family member in real time. In this situation, it is better to provide it with an additional, working computer. Otherwise, you risk to accidentally collect data about third parties. It’s just not possible to restrict an employee to use the Internet or an internal network for personal needs, such a restriction requires serious reasons.

(More information about the nuances of personal data processing in electronic communications can be found in the Working paper on monitoring electronic communications in the workplace).

In any relationship where there is an imbalance of possibilities, it is better to avoid processing data based on agreement. Instead of using consent, try to think carefully about your business processes and indicate the cases of processing personal data in contracts that you enter into. Consent is often complex in design and an inconvenient tool in the employer-employee system. Your company will always have to be ready to take a test on the free will of your employees when issuing consent.

The list of cases of imbalance is open and not limited to employers or authorities. The imbalance of opportunities between your company and an individual from the European Union can be where refusal to give consent on your terms leads to any negative consequences for such a person. Including, to additional material costs.

Example: Your company sells products or provides services that are difficult to replace because of the uniqueness or even your better price compared to competitors. Refusal to give consent on your terms will not allow a buyer from the European Union to buy this product from you or use your service. As a result, he will have to pay for them more expensively to another supplier.

Crushing targets

If there is an opportunity to share the goals of obtaining consent, they should be divided. As a rule, there is always such an opportunity. A person must have a simple and clear choice: to give or not to give consent on a specific goal of treatment.

Example: The user agrees that you send him information about the update of your software product. But I do not agree that you give his data to your partners. In such a situation, you cannot formulate a query like this:

“In order to update the product, I hereby agree to receive notifications from /.../ about new versions, including receiving notifications about updated / added functionality implemented by partners /.../, for which I agree /. ../ may transfer my personal data to your partners of your choice. ”

When recommending (and generally processing on any other basis), I recommend crushing (detailing) the types of data collected, the purpose of obtaining them, and all other necessary information as much as possible. This will help you not only to avoid data collection charges by some kind of array, without specifying, but also to understand what and why you collect, use and store, how long it needs to be stored. When you receive any requests to change or delete data, you can always quickly change or delete them, without harming the rest of the data.

If you have included personal data in a single document (contract or some cumbersome form, questionnaire, etc.), then to remove or change them you will need to complete many formalities. Starting from re-signing (approval) of such a document from the data owner himself, to re-passing the approval procedure within his own company.

Negative consequences

They should not be. A person may refuse to give consent in respect of personal data, which are clearly not necessary for the provision of any service or performance of the contract. And this should not lead to a refusal to provide him with a service or to render it on the worst conditions.

It’s easy to avoid negative consequences. I repeat that any data that is not needed for the operation of the main service can be processed based on the consent given for any additional service or additional privilege (benefits, discounts, etc.) provided by your company. I would recommend for those data that you want to collect and process, but are not sure if they are necessary for the operation of the main service, to select some additional from the main functionality (if it is technically possible). And bind the receipt of additional data to the ability to get advanced functionality.

Consent is specific

Concreteness is ensured by the following conditions:

• the purposes for which the data is processed must be specific, explicit and reasonable;
• consent must be sought with a split purpose (the split requirement is repeated here, see above); and
• Information provided upon receipt of consent should be clearly separated from information on other issues (see also Consent is informed ).

Example from Guide: A cable television operator collects personal data from users and sends them personal suggestions for new films based on user preferences. After a while, the operator decides to allow third parties to show targeted ads to their users, also based on user preferences. Here, the operator needs to get a new consent from its users, regarding the new and independent goal.

Consider how to correctly specify and formulate the purpose of data processing in accordance with the Regulations. Recommendations for setting goals can be found in Opinion on purpose limitation.

The purpose of the processing should not be formulated implicitly (blurry) or too general. In particular, the wording “improving user behavior”, “for marketing purposes”, “for the security of information technology” or “for future research” is usually not correct in terms of GDPR. At the same time, Conclusion 03/2013 recommends that you always consult with each specific case of obtaining consent. Excessive detailing can have the opposite effect - information about the purpose of consent will be overloaded with difficult to understand terms. This, in turn, will violate one of the fundamental requirements of the Regulation - to use an understandable and simple language for any documents on the processing of personal data.

Appendix 3 to Conclusion 03/2013 provides examples of how to formulate goals depending on the situation.

Example A: A local store selling clothes and sending out their catalogs of new collections to a limited number of locals. In this case, it is allowed to indicate simply “marketing” as a target for collecting data on names, addresses and telephone numbers of clients, since the store has a limited circle of buyers, all buyers are well aware that it is only about getting a catalog with clothes. At the same time, the catalog allows you to buy collections that have not yet become widely available and are not available to other buyers. Those. it is a question of additional service, having refused which buyers all the same can get the same clothes, only later.

Example B: If we are talking about a global trading platform that collects a lot of data and uses sophisticated user analytics and their behavior for targeted advertising and personal offers, it is necessary to detail each goal of data processing; including, specify the criteria for making automated decisions based on user profiles.

Conclusion 03/2013 recommends the use of multi-level or “layered” notifications for the purposes of data processing, namely:

Example C: There are signs on the building that allow you to immediately notify visitors that video surveillance is being conducted. The plates contain a summary of the processing: link to the website and / or the name of the company responsible for it. On the site itself there is a detailed Policy regulating data processing and the rights of owners of personal data. This technique allows you to promptly inform about personal data processing in a friendly and simple manner.

The multi-level method of informing today is used by an increasing number of off-line and online services. For example, during a telephone conversation with banks, an automatic notification of the recording of the conversation is played. When entering the website page, the visitor sees a short notice about the collection of cookies, which contains a link to the Privacy Policy or the Policy for the processing of cookies. If further actions of the website visitor imply collection of other data (for example, when filling out a form), consent is again requested for processing and a link to the document with detailed information is given.

Consent is informed

The guide recommends a minimum set of information that the data owner must obtain before giving consent. This is information about:

• the one who collects the data (controller), which allows him to identify;
• processing purposes;
• types of processed data;
• the right to withdraw consent;
• how data is used to make automated decisions (if such are made);
• on the possible risks of data transmission to persons from countries outside the European Union, without an adequate level of personal data protection and without any protective measures taken.

I will dwell on a couple of points that are not always paid attention to.

First , information about who is collecting and / or processing data. I recommend that this information be easily accessible from a request for consent, and sufficient for identification in accordance with the personal law of the relevant state applicable to a particular company. You need to make sure that there is a direct indication of the name, address and / or identification numbers of your company on the website or in the Privacy Policy. It is not enough to indicate just the company name of your company. If the data will be processed by a group of companies, you need to list all the companies of this group.

Under the personal law is understood the law of the state, which regulates the status of a legal or other person, determines the requirements for the name, procedure of registration, etc.

Secondly , the manner (method) of informing. The consent request must contain sufficient information and use a short language that is understandable to the average person. It is unacceptable that consent was hidden in the text, including by constructions like “I realize that ...” and similar ones. Links to multi-page Personal Data Processing Policies and similar documents, if the basic information is not given in an easy and understandable form at the time of obtaining consent , is also unacceptable.

It is recommended to highlight the text of the consent corresponding title.

Example: For mobile application services, where the screen size makes it difficult to read documents, especially such as licenses to use the service, etc., I would recommend asking for consent to put it on a separate page (screen). It does not matter if your application twice or three times asks the user to tick the boxes in the checkbox for consent to the processing of their data, and for acceptance of the license terms. Worse, if you make the consent section at the end of a multi-page document, browse (not to mention “read”), which even to the middle can not everyone. Then there is a risk that your request will be deemed flawed in terms of proper information, and the consent itself - not free.

Consent expressed unequivocally

This requirement is closely related to the requirement of awareness and, in particular, the method of informing / requesting consent. Consent must be given through a statement or a clear affirmative action. Silence or inaction cannot be considered as consent. In this case, it is assumed that consent is not given .

Forms of consent (by declaration) include not only written statements. It can be anything, including a record of oral negotiations. When recording a conversation, it is imperative to inform you that the data has been collected and that consent is requested.

There are situations when a service or website requests online consent through a pre-marked check-box, and something like the “Next” button. Instead of a handwritten statement of consent, a mark is put, stamped by the service (website) by default. Here consent is considered to be expressed indefinitely, since in order to refuse consent to the user of online services, it is necessary to cancel prior pre-approved approvals.

Often such pre-installed check-boxes "sin" services for booking tickets, hotels and others. Simultaneously with booking a ticket, they affix your consent to the purchase of flight cancellation, loss, life insurance and other services. Leaving outside the scope of this article the legality of this method of selling additional services. It is important that even if the client agrees (accidentally) with the purchase of such insurance, he could hardly give his informed and unequivocal consent to transfer his data to third parties (insurance companies and others).

Consent must be explicit in special circumstances.

For a number of cases, the GDPR Regulation requires that consent be explicitly expressed. As a rule, these are situations for collecting specific data categories (for example, health), transferring to third countries without an adequate level of personal data protection, or making automated decisions regarding the data owner. Here it is recommended (although not required in a rigid form) to issue consent in the form of a document (form) signed by the data owner. Consent may be expressed in other ways: by sending a photo of the document, an e-mail, etc. It is allowed to record consent by recording verbal negotiations, if during the conversation all the necessary information is communicated.

Example from the Guide: For special situations, the use of two-or multi-level evidence of consent is recommended. For example, a separate e-mail indicates for which specific purposes the consent is requested, which data will be processed. Users are asked to send a response letter with the words "I agree." This allows you to make sure that the user doesn’t accidentally put a checkmark in the check-box or sent a response letter without reading the request to the end.

Withdrawal of consent

How best to implement a consent revocation mechanism

Remember that withdrawal of consent must be implemented in the same easy way that consent was given. Although the Regulation does not require that the mechanism of withdrawal of consent by 100% coincided with the mechanism of its confirmation.

Example from the Guide: When buying tickets to a music festival, consent to data processing for marketing purposes was confirmed by clicking "Yes" or "No". But for withdrawal of consent is required to call the ticket seller's office from 8 am to 5 pm. This is an unacceptable situation in the framework of the GDPR, violating the condition of ease of withdrawal of consent.

Do not forget that information about the right of a person to withdraw his consent must be given to him before obtaining consent, in the request for consent itself. At the same time, it is necessary to inform how to realize this right. This means that the easiest and most effective way to communicate this is simply to suggest a revocation mechanism in the request text itself, in your account, in a mobile application, or in another service. The mechanism for withdrawing consent must be intuitive to humans.

"The mechanism of withdrawal of consent must be intuitive to the person" - the case when an experienced UX-designer is simply necessary.

Example: Using an "Unsubscribe" link in emails to opt out of receiving notifications is an easy and convenient way. It allows you to quickly find any letter and withdraw consent. You can add a separate button or link in the user's personal account. With clear text, like "Refuse to process personal data." Then you can either simply delete all user data, or suggest options for it, which data to delete and which data to leave.

Obviously, any remaining data in the absence of deleted data may become useless. You need to warn the user about this in advance that all associated data will be deleted, and not just the selected one.

Example: You can separately delete the data of the payment card of the client of the online store without affecting the contact details. But if you delete all the contact information, including the user's full name, the payment card data without them is not needed. Since it is not clear to whom and where to deliver the goods.

What to do after withdrawing consent

After revoking the consent, your company should immediately stop processing such data, if there are no other reasons for its continuation. All actions for the processing of personal data that were committed prior to the withdrawal of consent are considered legal. But only if the consent was initially issued correctly.

Example: Data previously obtained on the basis of consent have subsequently become necessary to fulfill the conditions of the concluded contract or they must be stored in accordance with the requirements of the legislation: tax, financial or labor, and any other (Article 6 (1) (b) of the Regulations).

It is in this situation that the benefits of maximizing the data processing goals and the data itself, which you can collect and process, become apparent. Having understood what data and for what purposes you are processing, you will easily understand on what grounds the processing should be carried out: on the basis of consent or there are other reasons not dependent on it.

IMPORTANT! You can not arbitrarily change the basis of data processing.

This is one of the subtle points of the GDPR, which is indicated in the Guide. The basis for data processing must be selected by your company (and communicated to the data owner) before processing begins. You can not arbitrarily change the basis for processing personal data.

Example from the Guideline: If it turns out that the consent was drawn up in violation of the rules of the GDPR, and the data were collected on the basis of invalid consent, it is impossible to retrospectively replace the consent for another basis; for example, having a legitimate interest in running a business through advertising mailings (Article 6 (1) (f) of the Regulations).

Here, the question remains: what to do if all of a sudden the consent was registered incorrectly, but you are obliged to store and transfer the data to any regulatory authorities on the basis of the requirements of local law? In my opinion, this can be a fatal risk, since you have to choose what to break: local law or GDPR rules.

The prohibition of arbitrary replacement of the bases for data processing shows how important it is to carefully consider the business processes in your company before proceeding with the processing of personal data in accordance with the GDPR.

It should be remembered that with the revocation of consent, if your company continues to process data on a different basis and the processing objectives have changed, you must notify the owner of personal data (Articles 13 and 14 of the Regulations).

Consent obtained: how to work on

Everything is simple here. We need constant monitoring and updating. Consent is not a static document, but part of a dynamic data system. Any change associated with obtaining new data or using existing ones, but for other purposes (for example, it is planned to be transferred to third parties), requires updating the previously obtained consent. If you have managed to build a logical system for processing personal data, including clear links between categories (types) of data, objectives and bases for their processing, specific processing actions, terms and other elements, it will not be difficult for you to promptly request a new consent. Ideally, this process should be automated.

Brief conclusions:

You can optimally approach the agreement of your users, partners, clients, to the processing of their personal data, if you follow the principles of DRY, KISS and, especially, YAGNI, which are well-known among programmers. If you interpret these principles in the language of GDPR, then:

DRY:

Split the system (ie, consent as a single document or as a set of evidence) into the simplest elements. For example, use the check-boxes opposite each type of personal data with an explanation of the processing purpose and / or a link to a specific place in the Personal Data Processing Policy, giving additional information to your user. It will be for everyone a convenient and understandable solution. The user can always choose with what he agrees, and with what - no.

If you need to use the collected data for a new goal, you simply add this new target (and a separate check box for it). If something needs clarification, you can give a direct link to the explanatory text. Provide a person with an opportunity through sorting to easily find the purpose of processing his data, the shelf life, to whom and what data can be transferred and under what conditions. It is advisable to build large documents using cross-references to avoid repetition of the text.

KISS:

Clearly formulate the purposes of processing personal data for which you want to obtain the consent of their owner. Write in a simple and understandable language. Avoid unnecessary data aggregations, processing purposes, storage periods, etc., into a single pool / document or several massive pools / documents. Do not forget that the availability and clarity of documents to the ordinary person regulating the processing of personal data is one of the fundamental requirements in the Regulation of the GDPR.

YAGNI:

Do not collect more data than you need. Really necessary. A lot of data, it is not only your asset, but also a liability. The data for which you received consent require regular attention. This is another fundamental fundamental requirement of the GDPR: personal data must be adequate, related to the processing objectives and necessary for them (paragraph 39 of the Preamble of the Regulations).

Already collected data should be regularly checked for relevance, for compliance with processing goals (goals can be changed, supplemented), ensure storage safety and delete as soon as they become unnecessary objectively. Agree, the accidental leakage of only passport data or payment card data (not to mention these special categories) has different consequences for the people themselves and for your company responsible for processing this data.