GDPR: It’s not all about consent!
Dr. Judith Nink works as the Data Protection Officer and Head of the Advocacy & Industry Relations Department at eyeo. She explains why consent is not always a savior and will explain alternatives.
In the first part of this series we learned why consent is not the only and often not even the best way to process personal data. After exploring the backside of consent you may ask:
Why are we still talking about consent, then?
What are alternatives for consent? First, there are situations where no statutory legal permission is applicable, e.g. keeping candidate application data even after rejecting a candidate for a specific position. In such a case, the company would be required to delete the application data unless the candidate has consented to keep the data for future job opportunities.
Second, there are sometimes situations where companies want to provide the customer / user with a choice even if they are legally not obliged to do so. As long as this is an informed decision, including being willing to not process or stop processing personal data if the customer / user refuses to provide or withdraws their consent, there is no issue with that. Such a decision can create trust and raise transparency about data processing.
Why is that?
The GDPR requires companies to be transparent about data processing, but the hurdles are a bit different depending on whether the data processing is structured on consent or on a statutory legal permission:
|Requirement||Consent||Statutory legal permission|
|Right to object / withdraw||✔️ (must be as easy as declaring consent)||⛔ / ✔️(only in connection with specific permissions, e.g. legitimate interest)|
|Deletion of data||After objection with future effect||If not necessary for the original purpose anymore and no legal retention obligation is still applicable.|
|Information of user||✔️ Accurate and transparent consent declaration
✔️ Privacy Notice / Policy
|✔️ Privacy Notice / Policy|
When choosing to structure your data processing on consent, you cannot use any other legal permissions any more. Meaning, if the customer / user chooses to revoke the consent, processing must stop immediately. Even if there would be a statutory legal permission applicable, you can’t rely on it any more (remember? That would be fundamentally unfair: Consent vs. other permissions).
Some additional hurdles do exist in processing of personal data in the employment context. In the context of employment, there is an imbalance between the employer and the employee. Given that dependency, the EDPB, for example, assumes that it is unlikely that the employee is able to deny their consent “without experiencing the fear or real risk of detrimental effects as a result of a refusal”.1 Hence, in order to rely on consent, the employer must ensure that the employee has a real choice to respond freely to a request for consent without feeling any pressure to consent.
The German legislator assumes that such a real choice most likely exists if the employee can achieve a legal or economic advantage, or if employer and employee pursue similar interests (Sec. 26(2) German Federal Data Protection Act). But, also without such an advantage consent can be freely provided. For example, a film crew is shooting a report about an employer’s hygiene measures in Corona times. If employees have the option to close their doors or to be given equivalent desks elsewhere in the office for the duration of the filming, consent is also possible.2
Consent or statutory legal permission?
Considering this, when given the choice between structuring data processing on consent or on a statutory legal permission, the rule of thumb is as follows:
- Service can be provided / situation can be handled without processing the data subject’s personal data; and/or
- Company wants to create specific trust and / or transparency; and/or
- Data processing is only necessary for a specific situation and individual denials do not affect the success of the situation.
Statutory legal permission:
- Company must be able to rely on keeping the data for the intended purpose, e.g.:
- Long term (beyond a specific situation) data processing intended; and / or
- Data processing is necessary for the success of a service / situation.
- Company is obliged to process personal data, e.g. a statutory legal provision requires the company to do so or an authority rightfully requests access to such data, e.g. keeping tax information in accordance with the German Federal Revenue Code.
1 EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, May 4, 2020, Recital 21, available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf.
2EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, May 4, 2020, Recital 23, available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf.