Consent under the GDPR: bases, purposes, principles and limits

In the previous entry, Consent Lifecycle, we discussed for you the importance of concepts such as collection, custody and withdrawal. On this occasion, we would like to take a closer look at other very important issues described in the European regulation, such as the bases, purposes and limits. If you want to get a head start on what you are about to read, we recommend that you refer to articles 5, 6 and 7.

One of its fundamental pillars for data processing is the consent of the data subject. But, although it acts as a legitimate basis for data processing in many contexts, it is not the only one.

The purpose responds to a legal basis for the processing. In other words, there must be a valid purpose (set out in the RGPD or the LOPDGDD) that legitimizes the processing of personal data. In other words, the principle of purpose of the processing of personal data defines why and for what purpose the data is collected. This is a fundamental issue for compliance.

The purpose of the processing defines the reasons and purposes of the processing, in addition to determining its lawfulness. These reasons are listed in Article 6 of the GDPR:

• Explicit consent of the data subject for one or more specific purposes.
• Necessity of the treatment for the execution of a contract.
• Fulfillment of a legal obligation of the data controller.
• Protection of vital interests of the person concerned or other natural person.
• Execution of a public interest mission or exercise of public powers.
• Legitimate interest of the data controller or a third party, unless the rights of the data owner prevail.

Consent, therefore, is only one of the possible bases, but when it is used, it must meet strict requirements. And companies need to be able to defend this compliance at all times.

Principles related to consent (article 5 of the GDPR)

• Lawfulness, fairness and transparency: consent must be informed, clear and freely given.
• Purpose limitation: data may only be used for the specific purposes for which consent was obtained.
• Data minimization: only the necessary data should be collected.
• Other key principles are also accuracy, shelf life limitation, completeness and confidentiality, and proactive accountability.

Article 7 of the GDPR details the conditions that consent must meet to be valid. You will find them below, accompanied by a brief explanation.

• Demonstrability: the data controller must be able to demonstrate that the data subject consented. In other words, it is up to the data controller to keep the evidence that proves that the data subject accepted or consented to the processing of the data for the stated purposes.
• Clarity and granularity: if the consent is part of a broader statement, it must be clearly differentiated. In other words, a single consent cannot be requested for a plurality of purposes. The GDPR encourages consent to be given separately for each purpose, so as to allow each individual to freely choose which processing operations he or she accepts and which he or she does not.For example, a data controller requests consent for two purposes, the first is for profiling, while the second is for participation in surveys. In this case, and for proper compliance, you must separately and explicitly request consent for the two purposes described above. The user will decide whether to accept both, one of them or none of them.
• Right to withdraw consent: the data subject may withdraw consent at any time, and it should be as easy to withdraw consent as it is to give it. In addition, it will also be up to the controller to prove that it has been withdrawn as requested by the data subject.
• Free choice: consent will be invalid if it is conditional on the performance of a contract, where it is not necessary for the performance of a contract, e.g. if a user wants to buy a product online, he cannot be required to consent to the processing of his data for advertising purposes as a condition for completing the purchase. consents for additional purposes (such as marketing, analytics, etc.) must be optional and must also be requested and given separately.

Consent is a powerful but not omnipotent tool. Its limits are also set out in the GDPR. They are:

• It cannot be forced or implied.
• It is not valid if there is an imbalance of power (for example, in labor relations).
• It must be renewed if the purposes of the treatment change.
• It does not replace other legal bases when these are more appropriate (e.g., legal obligations).

As already mentioned in the entry on the life cycle of consent lifecycle, the way in which it is collected is crucial when it comes to complying with data protection regulations and maintaining the trust of users. And it is also very important that the data controller knows and respects the limits established by the GDPR. Among them is the fact that consent must be requested again if the initial purposes change. In other words, transparency and regulatory compliance must be guaranteed at every stage.

For all these reasons, companies must have improved and mature consent management processes and rely on solutions, such as MailComms Group’s, to support them during the process and help them avoid penalties.

For effective and reliable compliance , it is helpful to have a qualified and trusted e-service provider. qualified and trusted e-services provider, as is the case with Mailcomms Group, which is also certified in the main information security and privacy regulations, such as: ISO/IEC 27001 and ISO/IEC 27701. In addition to these certifications, Mailcomms Group is accredited in the high level category in the high level category in the National Security Scheme of the of Security of the National Cryptologic Center.

If you want to learn about one of the most robust consent management systems on the market, we invite you to explore this blog or contact us.