Regulation (EU) 2016/679 of the European Parliament and of the Council, referred to as GDPR (hereinafter “the Regulation”), designates consent as one of the possible legal bases for the processing of personal data. In the practice of online traders, the processing of personal data for the purpose of sending (disseminating) commercial communications (for example, so-called newsletters) or processing for other marketing purposes will most frequently be based on consent. The processing of customer personal data for the purpose of sending commercial communications may also be carried out by the trader on the basis of so-called legitimate interest; however, this issue exceeds the scope of this legal circular.
Given that the Article 29 Working Party recently issued a working version of its interpretative opinion on the issue of consent, we have decided to devote this January legal circular to certain practical questions related to obtaining consent to the processing of personal data.
According to the provisions of Article 4(11) of the Regulation, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” On the issue of the freedom of consent, Working Party 29 states that “if the data subject has no genuine choice and therefore feels compelled to consent or would suffer detriment if consent is not given, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given. Likewise, consent will not be considered to be free if the data subject is unable to refuse or withdraw consent without detriment.” It is therefore clear that consent to the processing of personal data cannot be given as part of consent to terms and conditions.
Consent to the processing of personal data may be required by the trader for multiple purposes (for example, for sending commercial communications and for conducting marketing studies). In such a case, according to Working Party 29, “the data subject should have the freedom to choose which of these purposes he or she accepts and should not be forced to consent to a whole package of processing purposes.” This means that for each purpose of processing (based on this legal basis), consent should be given separately by the data subject.
When obtaining consent to the processing of personal data, the trader should primarily fulfil his information obligation established in Article 13 of the Regulation. However, Working Party 29 states somewhat surprisingly in this regard that “valid informed consent can exist even if not all elements” according to Article 13 of the Regulation “are mentioned during the collection of consent.” In this context, it is also appropriate to mention the new interpretative opinion of Working Party 29 regarding transparency, which contains recommendations concerning the fulfilment of information obligations in “layers” and also relates to the information obligation when obtaining consent to the processing of personal data. From the first layer of information, the data subject should be able to identify basic information regarding the processing of his or her personal data and where he or she can find more detailed information.
Many discussions are also held regarding the question of so-called double opt-in when obtaining consent to the processing of personal data. In this regard, it may be mentioned that the Regulation itself does not expressly establish such an obligation. Proponents of “mandatory” double opt-in proceed from the fact that the controller must be able to demonstrate consent to the processing of personal data throughout the entire period of processing. However, the obligation to demonstrate consent to the processing of personal data already follows from current legislation (and is therefore not a change in legislation). Moreover, the controller of personal data is, in accordance with the principle of accountability, obliged under the Regulation to demonstrate the compliance of the entire processing of personal data with the Regulation (not only the granted consent). Likewise, Working Party 29 does not mention such an obligation, merely stating that “for example, in an online context, a controller could retain information about the online actions by which consent was expressed, including documentation of the consent collection process at the time of the data subject’s online presence and a copy of the information that was provided to him or her at that time.” On the other hand, it must be stated that double opt-in is already considered a certain standard in some Western countries.
In conclusion, we remind that personal data processed by the trader for the purpose of performing a purchase contract (or for the purpose of negotiations regarding the conclusion of a purchase contract) will also be processed on another legal basis. In the case of performing a purchase (or other) contract, this will be the legal basis stated in Article 6(1)(b) of the Regulation: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
Josef Aujezdský, advocate
Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – online legal counselling
This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 01/2018 intended for members of this association.
This text was translated from Czech to English using an AI translator.