GDPR: relying on consent for processing personal data
Posted - 14.02.2018
As announced in our previous publications1, all entities processing personal data should be prepared for the application of the General Data Protection Regulation ("GDPR") as from 25 May 2018. In particular, it is required that entities identify at least one of the six lawful grounds (i.e. consent, contract, legal obligation, vital interest, public interest and/or legitimate interest) to justify each personal data processing that they carry out as controller.
In order to clarify the conditions for the data subject’s consent, the Article 29 Data Protection Working Party ("Working Party") issued draft Guidelines on Consent (WP259). The Working Party states that, as a general rule, a data processing carried out for one specific purpose (e.g. sending marketing communications), cannot be justified on multiple bases. Determining an appropriate lawful basis for a specific processing is thus of primary importance, keeping in mind that such a basis could not be substituted by another lawful basis in the course of processing. For instance, if a processing is based on the data subject’s consent, which is subsequently withdrawn, that processing cannot continue on the basis of, for instance, the controller’s legitimate interest. Where this approach may meet the data subjects’ expectations that processing will cease after they withdraw consent, it may be considered as inconsistent with Article 6 of the GDPR, which gives the impression that several lawful bases could justify the same processing.
In practice, controllers must be careful when relying on the data subjects’ consent as the Working Party considers that alternative bases cannot serve as a “back-up” justification. Controllers must also inform the data subjects of the lawful bases that are relied on for each processing of their personal data. The draft Guidelines on Consent were subject to public consultation (closed on 23 January 2018) i.e. any individual or organisation could submit comments that will be taken into account for finalisation. We can expect that the final version of the Guidelines on Consent will clarify the conflicting position of the Working Party with the GDPR as regards the use of multiple grounds to justify a processing.