IS THE CONSENT ALWAYS REQUIRED FOR DATA PROCESSING?

I had to apply for issuance of a real estate layout and a tax assessment certificate two weeks ago. While I was submitting the applications the officials asked me to sign declarations and to give my consent for the processing of my personal data in order to get the administrative services I was applying for. The officials were so kind and helpful that my heart did not let me deny and I was pleased to sign the declarations in question.

This and collection of consent for personal data processing that happens increasingly often lately after the enforcement of Regulation (EU) 2016/679 (General Data Protection Regulation /GDPR/) made me write this article.

Pursuant to Art. 6 GDPR data processing may only take place on any of the following grounds:

(a) the data subject has given consent to the processing of his or her personal data;

 

(b) processing is necessary for the performance of a contract to which the data subject is party;

 

(c) processing is necessary for compliance with a legal obligation;

 

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

 

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

 

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

 

No matter that consent is ranked first among the grounds for data collection and processing, all grounds are of equal value and strength. The presence of any of them makes processing lawful.

Reassurance in terms of ‘let’s have the consent, … just in case we need it’ may play a dirty trick on controllers because it should be known that consent for processing of personal data must be given freely, and most important – the data subject is having the right to withdraw his/her consent at any time under Art. 7(3) GDPR. This means that once the consent has been withdrawn, the controller should cease using the personal data. And if de jure they process them on another ground, this may not happen and they are at a risk to be in an awkward situation that may cost them a fine or a property penalty, because they have misled the person who have given his/her consent – that they are processing his/her data on the basis of his/her consent and that he/she may withdraw it at any time.

In the case with issuance of a layout and a tax assessment certificate, if I had withdrawn my consent right after submission of the applications, the controller would not be able to cease the processing of my personal data, because by law they are in the position to use them for the exercise of their official authority – rendering the services I applied for, and most important – they may not deny rendering the concerned services to me, even if I had withdrawn my consent. For this reason the officials should not request my consent, because they process my personal data on the basis of exercising their official authority of the respective agency.

That’s why before requesting any consent for the use of personal data, first you should ask yourself if there is no other legal ground for their collection and processing, such as a contract with the subject, whose data you are processing, or a legal obligation as one of the most common grounds in the private sector, and what would be the consequences in case the consent has been withdrawn by the data subject.

So if you use the personal data of your employees in the capacity of an employer, to pay the social security contributions due, you will do it on the basis of execution of your legitimate obligation, because the law puts you in a position, as an employer, to deduct the social security contributions from the salaries of your employees and deposit them every month to the respective accounts of the state budget.

Further, if your company hires a contractor to make furniture for your office, you should not request the contractor’s consent in order to use their bank account for the purpose of payment of the agreed remuneration, because you will do that on the basis of performance of your concluded contract for making of furniture.

In the private sector the most common cases when you should request consent for using of the personal data are: direct marketing and sending newsletters.

Not long ago and still it is a common practice in marketing departments to purchase e-mail lists of unknown origin which nobody knows how and where have been collected and composed. After the GDPR became effective, which happened on the 25th of May this year, this practice must be definitely stopped, because the major principle in the direct marketing regarding natural persons is ‘opt-in’, not ‘opt-out’, i.e. you must obtain the consent from the individual in advance in order to send him/her a commercial message, not to rely on the fact that they may refuse to receive your messages.

It is the same case with the issue of sending a newsletter. It is recommended that your website have an option for obtaining consent, storing information about the consents both received and withdrawn for the purpose of maintaining an updated list of recipients who have given their consent for receiving your newsletter and for execution of the reporting obligation as imposed by the GDPR on each controller.

Summarizing: If any of the other grounds for personal data processing is present, as enlisted in Art. 6 GDPR, do not ask for consent for such processing. Consent is rather the final option unless any of the other grounds exists.

If I haven’t answered to all of your questions related to consent or if you hesitate and need help, I would be glad to assist you.

Author: Andon Nastev, Attorney-at-law