Collecting consent under the GDPR
The GDPR stipulates high requirements for obtaining consent, however, in many cases, consent is not needed for processing personal data. For example, processing of personal data may also be lawful in consequence of contractual compliance, a legal obligation or a balancing of interests, and such others should always be considered before relying on consent as the lawful basis for processing.
Consent means that the registered person has been given a real choice and thereby control of how his/her personal data are used by e.g. a company.
There are several conditions that must be considered when collecting, storing and processing a consent which is to be used as the lawful basis for processing.
For a quick overview of what should be particularly considered, please see Holst, Advokater’s consent checklist.
Collecting consent
- We have decided that consent is the most appropriate lawful basis for processing data in the given situation.
- We have separated the request for consent from other documents, e.g. our terms of sale and delivery.
- We require that the data subject in question actively consents.
- We never use pre-ticked boxes for consent or other types of silent consent.
- We have phrased the consent in a clear and comprehensible way.
- We have specified for which purpose the consent is given, and we will only use it for such purpose.
- We require separate consents if the processing has multiple purposes.
- We always disclose the name of the data controller and any data processors before consent is given.
- We inform that consent can always be withdrawn.
- We ensure that there will be no detriment or negative consequences if refusing to give consent.
- We ensure that consent is not a term or condition for the delivery of a product or service.
- We only use consent from children if it is possible to check the child’s age in relation to statutory minimum age (country dependent), otherwise, parental consent will be collected.
Storing consent
- We can document who has given consent and when consent was given.
- We can document how consent was given and what consent was given for.
Processing consent
- We regularly check that the processing and the purpose of the collection have not changed since the consent was collected.
- We have appropriate processes for checking the current interest and accuracy of the consent, including any parental consent.
- We have made it easy for the person who has given consent to revoke his/her consent, and we have provided information on how this is done.
- We immediately follow up on revocation of consent and cease all processing based thereon.
- We do not punish anyone for withdrawing their consent.