By Soraya Garran, professor “Compliance programs in data protection and security. Impact evaluation” in the master's degree in Compliance & Data Protection Directorate of the EIP International Business School wanted to share with us the following post about the consent of the interested party
General Data Protection Regulation (GDPR)
Two years ago, the GDPR began to be applicable with the consequent changes that companies have had to make in order to adapt to the new regulatory framework that it has brought regarding the protection of personal data.
One of the most characteristic changes that RGPD has brought with it, it is the way in which the consent of the interested party must be obtained. This issue has changed considerably, causing many companies to modify the terms under which they were collecting it.
That is why the GDPR in its art. 4.11 defines the consent as "any free, specific, informed and unequivocal expression of will by which the interested party accepts, whether by means of a declaration or a clear affirmative action, the processing of personal data concerning him or her;”
Consent: characteristics
In this sense, it is important to take into consideration the following characteristics of consent which are analyzed below:
- Free: Consent must be freely granted by the interested party, and cannot be subject to a specific condition or be used in those cases in which there is a clear imbalance between the interested party and the person responsible for the treatment.
- Specific: Consent must be granted for a specific treatment, and must indicate in each case which treatments for which it is granted.
- Informed: in order for the consent to be understood as validly granted, the interested party must be informed in clear and simple language about the processing of the data based on the terms established in art. 13 and 14 of the GDPR.
- Unequivocal: This characteristic implies that there can be no doubt that the interested party accepts and consents to the processing of their data. This is why the GDPR establishes the need for consent to be granted through clear affirmative action.
Is it possible to obtain consent by checking a box
Based on the characteristics analyzed, uncertainty arises about whether, with the current regulatory framework, it is possible to obtain consent by checking a box and whether it can also be previously checked.
In this sense, the applicable regulations require the existence of a clear affirmative act by the interested party, so Checking a box in order to grant consent is a valid formula, since it requires the interaction of the interested party.
The situation is different in which the interested party is presented with a previously marked box, in which the granting of consent for the processing of the data is collected, thus forcing the owner to uncheck the box in the event that you do not agree with the processing of your data for the specific purposes.
In this case, the fact of The fact that the interested party has to uncheck the box is not enough to conclude that the consent has been free and informed., since it cannot be understood that free consent can be deduced from the fact that the pre-marked box has not been modified, since the granting procedure does not involve a clear affirmative act as required by the regulations.
That is why, based on the current regulatory framework It is not possible to obtain consent through the formula relating to pre-marked boxes just as it had been done in the past, thus companies must modify this practice.
Do you want to specialize in Compliance Management and data protection?
He Master in Compliance & Data Protection Management will make you a highly qualified professional with the necessary skills to carry out specialized tasks in two of the most relevant areas for both private businesses as for public administrations: data protection and regulatory compliance or Compliance.
