Search

Publikacje

CONSENT TO PROCESSING OF PERSONAL DATA UNDER GDPR

Both under the law as it stands now and under the
Regulation, consent to the processing of personal
data given by the data subject is one of the
conditions that must be met to make processing of
personal data lawful. However, the Regulation
introduces significant changes in obtaining consent
to personal data processing. The changes will make
it necessary to modify the process of obtaining
consent after May 25, 2018 and may require re-
obtaining it from those who granted their consent
under the regulations currently in force.

Under the Regulation, “consent” of the data
subject means any freely given, specific, informed
and unambiguous indication of the data subject’s
wish by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
Thus, the principal conditions of consent are that it
must be freely given, specific, informed and
unambiguous. Consent should be granted on an opt-
in basis that requires some affirmative action (e.g.
ticking the consent box) from the data subject.
However, the Regulation excludes permissibility of
opt-out arrangements that rely on inactivity or
silence and often simply on inattentiveness of the
data subject (e.g. pre-ticked consent boxes).

Importantly, compared to the current regime, the
Regulation makes the approach to granting consent
more flexible, by allowing it to be granted not only
by making a declaration of intent but also in other
ways, for example by choosing technical settings
for information society services or another conduct
that clearly indicates in this context the data
subject’s acceptance of the proposed processing of
his or her personal data. The declaration of consent
to the processing of personal data does not require
to be made in any special form. However, the
controller must be able to demonstrate that the
data subject has granted his or her consent.
Consequently, organisational and technical means
must be put in place for recording the granting of
consent by the data subject to the processing of his
or her personal data.

Pursuant to the Regulation, the data subject is
entitled to withdraw his or her consent to the
processing of personal data at any time. While the
above right is also present in the current
regulations, the Regulation additionally requires
that at the time personal data is obtained the data
subject should be informed of the existence of the
right to withdraw his or her consent. The
Regulation further provides that withdrawal of
consent should be as easy as giving consent. Thus,
controllers
should
develop
procedures
for
withdrawal of consent that correspond to the
manner in which it is given.

The request for consent must be presented in a
manner which is clearly distinguishable from the
other matters, in an intelligible and easily
accessible form, using clear and plain language.
The Regulation extends significantly the list of
information the data subject should be provided
with at the time the data is obtained, including the
time period over which the data is to be retained,
the existence of the right to withdraw consent, and
information on automated decision-making. In the
light of the above, the majority of controllers will
have to update the scope of information provided
by them to data subjects at the time the data is
obtained.

As indicated by the above, the Regulation
introduces a number of changes in the process of
obtaining consent to the processing of personal
data. Given the imminent date on which the
Regulation will become applicable (May 25, 2018),
enterprises should check whether the mechanisms
employed by them to obtaining and processing
personal data are in line with the new provisions
and what changes are necessary in that regard.
They will also need to confirm whether they will be
able to continue data processing under the consent
given before the new provisions become applicable.
According to recital 171 of the Regulation, where
processing is based on consent given pursuant to
the current provisions, it is not necessary for the
data subject to give his or her consent again if the
manner in which the consent was given complies
with the conditions of the Regulation.

MILLER, CANFIELD,
W. BABICKI, A. CHEŁCHOWSKI I WSPÓLNICY SP.K.
ul. Batorego 28-32
81-366 Gdynia
Tel. +48 58 782-0050
Fax +48 58 782-0060
gdynia@pl.millercanfield.com
ul. Nowogrodzka 11
00-513 Warszawa
Tel. +48 22 447-4300
Fax +48 22 447-4301
warszawa@pl.millercanfield.com
ul. Skarbowców 23a
53-125 Wrocław
Tel. +48 71 780-3100
Fax +48 71 780-3101
wroclaw@pl.millercanfield.com

Disclaimer: This publication has been prepared for clients and professional associates of Miller Canfield. It is intended to provide only a summary of
certain recent legal developments of selected areas of law. For this reason the information contained in this publication should not form the basis of any
decision as to a particular course of action; nor should it be relied on as legal advice or regarded as a substitute for detailed advice in individual cases.
The services of a competent professional adviser should be obtained in each instance so that the applicability of the relevant legislation or other legal
development to the particular facts can be verified.