Open Navigation

Consent to Processing

The GDPR sets a very high standard for consent. To be valid consent a number of conditions must be met.

Under the GDPR there are specific conditions that must be met in order for a data subject to give valid consent to the processing of their personal data. The data subject must be properly informed about what they are consenting to at a granular level.

Consent

Broad sweeping statements about how a controller will use the data, are not acceptable.  The data subject must give consent freely and must positively opt in to giving consent.  Opting out is no longer sufficient – i.e. pre-checked boxes which must be unchecked to consent.

The consent must be unambiguous and specific, and critically must be as easy to withdraw as it is to give.  However, there are other lawful basis for processing which should also be considered.

Obtaining Consent

Obtaining the specific, informed, positive consent of a data subject is one of the lawful basis for processing personal data.  Whereas previously under the Data Protection Act 198 many organisations operated on the basis of broad forms of consent, where the option was to opt out rather than to opt in, under the GDPR that is no longer sufficient.

Firstly, and significantly, the data subject must be informed about the data that is to be collected, what it will be used for, how long it will be retained, who will process it, and their rights in respect of that data – including their ability to object to processing, their right to access the data and their right to request erasure (commonly referred to as the right to be forgotten).

Practically speaking the most prudent route is likely to be to issue a detailed and informative Privacy Notice (see our page on Privacy Notices) so that the data subject is properly informed and to ask the data subject to signify consent either by executing an opt in provision once they have confirmed that they have read and understood the terms of the Privacy Notice.

Individuals over the age of 13 can consent to the processing of their personal data.  Under that age you can rely on the consent of a parent or guardian.

Other lawful basis for processing

In many instances data controllers will be best advised to rely on another lawful basis for processing if one exists, particularly, for example in relation to the processing of employee data where it has been said that due to the inequality of bargaining power consent can never be truly freely given.

Other lawful basis for processing personal data (not sensitive personal data – dee below) include:

  • The performance of a contract
  • Compliance with a legal obligation
  • Protection of the vital interests of the data subject
  • The processing is in the public interest
  • The controller has legitimate interests for processing the data and there is no adverse effect on the rights and freedoms of the data subject.

Given the complexities around obtaining valid consent.  If you have another lawful basis for processing then it may be prudent to use it.

In order to lawfully process sensitive personal data additional requirements must be satisfied, reflecting the greater importance given to the protection of this more private personal data.  Lawful grounds to process sensitive personal data include:

  • Explicit consent
  • The compliance with employment obligations
  • Protection of the vital interests of the data subject
  • The data is already in the public domain and was placed there by the data subject
  • Establishing or exercising a legal claim or defence
  • The processing is in the public interest.

In most cases, in order to process sensitive personal data, explicit consent from the data subject will be required.

 

 

News

COVID-19 Legal Right to Work Check Concessions End on 20 June 2021

The UK Home Office has provided employers with latitude in meeting Legal Right to Work (LRTW) Compliance requirements during the COVID-19 pandemic through a series of concessions. One such concession enables employers to conduct right to work checks remotely, thus not requiring employees or HR personnel to be physically present in an office for the…

Read More
Passport

Is it legal to use coronavirus passports in the UK?

The vaccination programme has been very successful, with over 30 million adults receiving their first inoculations and over 4 million, their second. Until the last few months, the UK government said that requiring coronavirus passports in order to access certain services and foreign travel was discriminatory and therefore would not be adopted.  This view now…

Read More
Immigration Advice based upon the MAC Report

Migration Advisory Committee: Call for Evidence

The Migration Advisory Committee (MAC) is a body of independent expert economists retained by Government to advise on immigration policy reform in the context of prevailing labour market and UK business needs. The MAC undertakes extensive labour market and stakeholder research before publishing recommendations for change following commissions from the Home Office. A MAC review…

Read More