Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

Chapter II Principles

Article 7 Conditions for consent

October 2013

Article 7(1)

1. Where processing is based on consent, the controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.

Article 7(2)

2. If the data subject's consent is given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented clearly distinguishable in its appearance from this other matter. Provisions on the data subjectís consent which are partly in violation of this Regulation are fully void.

Article 7(3)

3. Notwithstanding other legal grounds for processing, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It shall be as easy to withdraw consent as to give it. The data subject shall be informed by the controller if withdrawal of consent may result in the termination of the services provided or of the relationship with the controller.

Article 7(4)

4. Consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected. The execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract or the provision of the service pursuant to Article 6(1), point (b).

[Source: October 2013]

Recital 31

(31) In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation. In case of a child or a person lacking legal capacity, relevant Union or Member State law should determine the conditions under which consent is given or authorised by that person.

Recital 32

(32) Where processing is based on the data subjectís consent, the controller should have the burden of proving that the data subject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given. To comply with the principle of data minimisation, the burden of proof should not be understood as requiring the positive identification of data subjects unless necessary. Similar to civil law terms (Directive 93/13/EEC), data protection policies should be as clear and transparent as possible. They should not contain hidden or disadvantageous clauses. Consent can not be given for the processing of personal data of third persons.

Recital 33

(33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. This is especially the case if the controller is a public authority that can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given. The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent. Consent for the processing of additional personal data that are not necessary for the provision of a service should not be a required for using the service. When consent is withdrawn, this may allow the termination or nonexecution of a service which is dependent on the data. Where the conclusion of the intended purpose is unclear, the controller should in regular intervals provide the data subject with information about the processing and request a reaffirmation of their consent.

Recital 34

(34) (deleted)

[Source: October 2013 | Notes: Recitals | Context: Recitals]

January 2012

Explanatory memorandum

3.4. Detailed explanation of the proposal

Article 7 clarifies the conditions for consent to be valid as a legal ground for lawful processing.

[Source: January 2012 | Context: Proposal from the European Commission]

Article 7(1) [Amended: October 2013]

1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.

Article 7(2) [Amended: October 2013]

2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

Article 7(3) [Amended: October 2013]

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Article 7(4) [Amended: October 2013]

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

[Source: January 2012 | Context: Proposal from the European Commission]

Recital 31 [Amended: October 2013]

(31) In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation.

Recital 32 [Amended: October 2013]

(32) Where processing is based on the data subject's consent, the controller should have the burden of proving that the data subject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given.

Recital 33 [Amended: October 2013]

(33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment.

Recital 34 [Deleted: October 2013]

(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.

[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]