GDPR consents: types and ways to obtain them in compliance with the GDPR

In its meaning related to “Law”, the Royal Spanish Academy defines consent as a “manifestation of will, express or tacit, by which a subject is legally bound”.

The concept is precise. Undoubtedly, consent is the formal requirement by means of which contracts are formalized or, at an individual level, we accept or not certain actions concerning our person.

As it could not be otherwise, at the personal level, and more specifically on data that could be processed by someone other than us (or an organization), in the vast majority of cases it is required that as a data subject we have consented to the processing of the data. This is very clearly stated, in the case of the European Union, in the General Data Protection Regulation.

In recent times, the concept of “consent” has undergone an evolution due to changes in Spanish legislation, mainly influenced by European regulations.

Something very relevant in the regulations is the definition of the two types of consent: tacit and express.

It is that which is not expressly reflected in written or physical form, but by a series of indirect actions or omissions. That is, it does not arise from explicit manifestations.

In any case, the existence of explicit manifestations should not be understood as tacit consent.

In the jurisprudence of the Supreme Court of Justice, the Supreme Court in the judgment of 257/1986, of April 28, 1986, establishes that for tacit consent to exist, there must be circumstances that unequivocally reveal that the person consents. It also emphasizes, as an important requirement, that silence is not always considered as tacit consent.

Another Supreme Court decision, No. 483/2004 of June 9, 2004, establishes two requirements for silence to be considered tacit consent.

The first of these is the knowledge and understanding of the facts. This means that the person who remains silent understands the facts that require his or her consent.

The second requirement is the requirement to express disagreement. In this case, the situation must allow the person to express in some way his or her disagreement if he or she does not want to consent or approve the facts or proposals. The Court understands that remaining silent is a form of tacit consent when there is a relationship between parties that has a history based on good faith.

Examples of situations where tacit consent is accepted or required

On a day-to-day basis, We are frequently confronted with requests for tacit consent, such as, for example, when we receive a notification from our bank indicating that our new conditions will come into force on a certain date and that “if we do not expressly state otherwise”, or “if we do not receive a reply within X days”, these conditions will be deemed to be accepted.

Tacit consent is also common in homeowners’ associations. An example is when a neighbor of a community of owners installs an awning, an air conditioning machine or any other element that alters the facade of the building without requesting permission. If no other neighbor objects, it is understood that there is tacit consent on the part of the community.

It also constitutes a tacit consent in the use of information when the person hands over his or her business card, company card or any other type of card, containing personal data. This consent includes a willingness to communicate with the other party.

At present, tacit consent is not valid in terms of data protection, although it was valid under the regulations prior to Law 3/2018, the repealed LOPD of 1999. Until that time, for example, cookies were understood to be accepted when browsing the web, since there was no explicit manifestation contrary to their acceptance.

In fact, the only valid consent in data protection is the express consent, the one described in articles 4.11 RGPD and 6.1 Law 3/2018, where it is defined as follows:

“Any freely given, specific, informed and unambiguous expression of will by which the data subject consents, either by a statement or by a clear affirmative action, to the processing of personal data concerning him or her.”

Therefore, the GDPR requires consent to be “unambiguous” and excludes the use of so-called tacit consent. The use of pre-checked boxes or inaction are not considered valid ways of obtaining consent. On the other hand, the use of a written declaration or the activation of checkboxes on an Internet website are in accordance with the GDPR.

The responsibility for collecting this consent lies with the data controller, in accordance with Article 7.1 of the GDPR, as we will see below.

It is important to know what are the conditions and/or requirements for the granting, proof or withdrawal of consent.

First, it is the controller’s obligation to demonstrate that data subjects consented to the processing of their personal data, as provided for in Article 7.1 of the GDPR:

“Where the processing is based on the data subject’s consent, the controller must be able to demonstrate that the data subject consented to the processing of his or her personal data”.

In the event that the collection of consent is done in written form, and this may refer to other matters, the request for consent must appear separately from the other matters, so that the person is fully aware of the purposes of data processing for which he/she is giving consent.

In addition, it is important that the data controller uses clear and simple language and easy-to-access tools. In other words, it should avoid grammatical structures and complex terminology and thus comply with the provisions of Article 12.1 of the GDPR:

“The controller shall take appropriate measures to provide the data subject with all information (…) in a concise, transparent, intelligible and easily accessible form, in clear and plain language.”

Finally, it should be as easy to give consent as it is to withdraw it. As soon as consent is withdrawn, the data can no longer be processed.

If we take into account that the collection of consent is an obligation of the data controller, it will be equally important to keep custody of this collection to be evidenced if necessary and to respect the provisions of Article 7.1 of the GDPR.

Nowadays it is possible to obtain express consent in two ways: verbally and in writing.

With respect to the verbal grant, which is the one that can be provided by telephone, it is true that, although its validity is admitted, a major problem arises with respect to its legal effectiveness. Specifically, it is difficult to prove its existence in the event of non-compliance on the part of the person responsible, since it would require technical systems that allow recording, custody and reproduction.

The other means of collecting express consent is in writing, which includes electronic means. Examples could be through forms, boxes on websites, application registrations, etc.

In no case would consent “understood” by the silence of the person, the boxes that were previously checked or inaction on the part of the person concerned be valid. This belongs to the category of tacit consent, something that current legislation does not accept as valid.

Regardless of how consent is collected by the data controller, it is important that it be express and unequivocally recorded in any multimedia system.

In this regard, the European Data Protection Committee points out in its 5/2020 guidelines that an obvious way to ensure that consent is explicit would be to confirm that it was given in a written statement, in order to eliminate any possible doubt or lack of proof. Although it also points out that signed statements are not the only way to obtain consent. For example, in the digital context, a data subject can give explicit consent by means of an electronic form, by sending an email, by uploading a scanned document with his or her signature, or through the use of an electronic signature.

For all these reasons, companies must have improved and mature consent management processes and rely on solutions, such as MailComms Group’s, to help them manage the entire process, ensuring compliance and avoiding penalties.

At this point it is very helpful for compliance to have a qualified and trusted e-service provider . qualified and trustworthy electronic service provider, as is the case with Mailcomms Group, which is also certified in the main information security and privacy standards, such as ISO/IEC 27001 and ISO/IEC 27701: ISO/IEC 27001 and ISO/IEC 27701, to which is added its accreditation in the high level category in the National Security Scheme.