Consent and the GDPR

As you have learned, to be allowed to process data requires a legal basis. As regards health data, in many instances, the legal basis will be the provision of healthcare services by a professional subject to professional secrecy (Article 9 (2, h and 3)). In many other cases, the legal basis for processing health data, including for example medical research (which will be discussed in week 2) or apps, will be the explicit consent of the data subject (Article 9 (2, a)). Anna’s GP and gynaecologists can process her data because they are healthcare providers bound by confidentiality. An app intended to process health data needs to request Anna’s explicit consent to process her data.

Consent

Consent of the data subject within the meaning of the GDPR means a clear affirmative act establishing the freely given, specific, informed and unambiguous indication that the data subject agrees to the processing of his or her personal data. Freely given consent means that the data subject has a genuine or free choice or is able to refuse or withdraw consent without detriment. For consent to be informed, the data subject needs to be aware of the identity of the controller and the purpose of processing.

Consent needs to be given to all processing activities, which can be done for example by a written statement (including by electronic means) or an oral statement. If the data subject needs to give consent by electronic means, the request for consent has to be clear, concise and not unnecessarily disruptive. This type of consent can be given for example by ticking a box when visiting a website, choosing certain technical settings or any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing. Pre-ticked boxes or inactivity by the data subject do not constitute consent. This means that an app company for example needs to think about how to request consent in a manner that complies with the GDPR and how to demonstrate this to the supervisory authority upon request.

Where processing is based on consent, Article 7 determines that the controller needs to be able to demonstrate that the data subject has given consent to the processing activities. Furthermore, the request for consent needs to be presented in a clearly distinguishable form. This means that it cannot be buried within a contract or other written document. It needs to be presented in clear and plain language in an intelligible and easily accessible form which is clearly distinguishable from other matters (within a contract or other written document) and may not contain unfair terms. The data subject has the right to withdraw his or her consent at any time.

Do you have examples from you own experience where you have been asked to give consent to a data controller to process your data? Feel free to discuss these situations with other learners on the discussion board.