External DPO Cost
External DPO Cost

What does consent look like under the GDPR and what requirements must it meet?

Consent under the GDPR:

Consent is one of the legal bases for the processing of personal data under the General Data Protection Regulation (GDPR). It plays a central role in data protection law and must meet certain requirements to be effective. Here are the key aspects of consent explained in detail:

Definition and requirements:

  • Voluntariness: Consent must be given freely. This means that the data subject must be able to make a genuine choice, without pressure or coercion. Consent is not voluntary if the data subject does not have a genuine choice or if there are significant negative consequences for refusing consent.
  • Informedness: The data subject must be provided with comprehensive information about the processing before giving his or her consent. This includes information on the identity of the controller, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients of the data, the existence of a right to withdraw consent and the possible consequences of refusal to consent.
  • Clear expression of will: Consent must be given through a clear expression of will. This can be done in writing, electronically or verbally, but must be clear and specific. A blanket or unclear consent is not permitted.

Forms of consent:

  • Written consent: Written consent is the most common form and has the advantage that it can be documented and proven in the event of a dispute. It should be clear and understandable and contain all the necessary information.
  • Electronic consent: Electronic consent can be given by checking a box on a website, filling out a form or confirming by email. Again, consent must be given clearly and unambiguously.
  • Verbal consent: Verbal consent is also acceptable, but should be documented to be proven in the event of a dispute. This can be done by a recording or a written confirmation following the verbal consent.

Revocation of consent:

  • The data subject has the right to withdraw his or her consent at any time. Withdrawal must be as easy as giving consent. The controller must inform the data subject of his or her right to withdraw consent and the possibility of exercising this right.
  • After the consent has been withdrawn, the controller may not further process the personal data unless there is another legal basis for the processing.

Relevant articles of the GDPR:

  • Article 4 No. 11: Definition of consent
  • Article 6(1)(a): Legal basis for consent
  • Article 7: Conditions for consent
  • Recital 32: Voluntary and informed consent

Example of a declaration of consent:

Here is an example of a consent form that meets all the required information and requirements of the GDPR:

Declaration of consent to the processing of personal data

By signing this consent form, I agree to the processing of my personal data in accordance with the conditions below:

  1. Responsible: [Name and contact details of the company]
  2. Purpose of processing: [Description of the purposes for which the personal data are processed]
  3. Categories of data processed: [Description of the categories of personal data being processed]
  4. Recipient: [Description of the recipients or categories of recipients to whom the data will be disclosed]
  5. Right of revocation: I am informed that I can revoke my consent at any time without affecting the legality of the processing carried out up to the time of revocation. The revocation can be made by [description of the revocation option, e.g. email to a specific address].
  6. Possible consequences of refusing consent : Consents that are vague or unclearly worded are also ineffective. The data subject must know exactly what type of processing he or she is consenting to and for what purposes the data will be used.

Special considerations for children:

  • Consent of children: When processing personal data of children under 16 years of age, the consent of parents or guardians is required. However, EU Member States may set a lower age, which must be at least 13 years.
  • Special requirements: The consent information must be written in clear and simple language that is easy for children to understand. This ensures that children can also understand the consequences of their consent.

Documentation and proof of consent:

  • Documentation requirement: Companies must be able to prove that the data subject has given their consent. This requires appropriate documentation that records when and how the consent was given and what information was made available to the data subject.
  • Archiving: Consent forms should be stored securely for proof if required. This can be done in paper or electronic form, as long as the integrity and security of the data is ensured.

Summary:

Consent under the GDPR is a key basis for the lawful processing of personal data. It must be voluntary, informed and given through a clear expression of the data subject’s will. Companies must ensure that they properly obtain and document consent and give the data subject the opportunity to withdraw their consent at any time. Implementing these requirements requires careful planning and clear communication to meet the data protection requirements of the GDPR and gain the trust of the data subjects.

Globeria Consulting GmbH zeichnet sich als einer der führenden DSGVO-Dienstleister in Deutschland aus und bietet umfassende Lösungen durch zertifizierte Datenschutzbeauftragte (DSB). Unsere Dienstleistungen decken das gesamte Spektrum der DSGVO-Compliance ab und stellen sicher, dass Ihr Unternehmen alle rechtlichen Anforderungen effizient erfüllt. Vertrauen Sie auf unsere Expertise für ein beispielloses Datenschutz- und Privacy-Management.

Wir bedienen Berlin, Frankfurt, München, Magdeburg, Sachsen-Anhalt, Hamburg und ganz Deutschland.
+4939155721388
info@globeriadatenschutz.de
Arbeitszeiten: Montag-Freitag, 09:00-17:00
© 2024 Globeria Consulting GmbH. Alle Rechte vorbehalten.