GDPR staff training 13/17 – what is the sense of consents to data processing?

Do not confuse consents with other legal basis for data processing
Consents have high requirements and can be withdrawn at any time
Consents are useful if you want to give more control to data subjects, or if there is no more relevant and stable legal basis

Often, I have seen employees trying to obtain consents where not required, or data subjects trying to withdraw consents never given. That is because many people do not understand legal basis for data processing. These have been listed in GDPR articles 6 and 9, the latter being relevant for special categories of personal data, such as on health, race, philosophical, religious and political views, trade union membership, genetics, biometrics, or sexual life. Legal basis other than consent include for instance performance of a contract, legal obligations, public interest, or legitimate interests of the controller or third party, like exercising rights, ensuring security or pursuing claims.

For instance, collecting GDPR consents for posting photos from events is risky, since anyone that withdraws it can make you obliged to take down a part of your event gallery. Rather, I look for relevant provisions in intellectual property or mass events law, which often give your entitlement to use photos from events without asking each person in the crowd.

Consent is just one of possible legal basis for all data categories except on criminal convictions and offences, which has to be authorized by law. Consent must be freely given, specific, informed, unambiguous and explicit. To be freely given, it should not be applied in imbalanced relationships, which are often the case where the controller is a public authority or an employer. Neither can you make performing contract or providing services conditional on consent to processing of personal data that is not necessary for the performance of that contract. I suggest collecting consents where there is no stronger legal basis, or when you want to make sure data subject subscribed to such processing (for instance newsletter, optional services, promotional materials).

Next: GDPR staff training 14/17 – what to include in and how to apply contracts?

Table of contents:

GDPR staff training 1/17 – preview

GDPR staff training 2/17 – how do you approach data protection right now?

GDPR staff training 3/17 – why protect data at all?

GDPR staff training 4/17 – what are personal data?

GDPR staff training 5/17 – what is personal data processing?

GDPR staff training 6/17 – who processes personal data?

GDPR staff training 7/17 – how personal data should be processed?

GDPR staff training 8/17 – what are your roles & responsibilities?

GDPR staff training 9/17 – why the need to know principle is so important?

GDPR staff training 10/17 – what difference can you make?