Explicit consent and how to obtain it – new GDPR consent guidelines

A look at what the General Data Protection Regulation (GDPR) says on explicit consent, which is needed in specific circumstances. The Article 29 Data Protection Working Party (WP29) has provided guidelines on consent under the EU GDPR. The GDPR consent guidelines were published in December 2017 to offer guidance to supervisory authorities and can help you in attaining GDPR compliance.

As we wrote before consent is one of the six conditions for the lawfulness of processing personal data as stipulated in Article 6 of the GDPR text. The new GDPR consent guidelines among others tackle the topic of explicit consent, the focus of this overview and update.

GDPR consent guidelines - explicit consent example with two stage verification for medical data processing

What is explicit consent and when do you need it?

Explicit consent is not strictly part of the definition of consent as you can read it in Article 4 (Definitions) of the General Data Protection Regulation text, according to which consent of the data subject regarding personal data means any:

  • freely given,
  • specific,
  • informed and
  • unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

However, explicit consent does fall under the clear affirmative action dimension of the unambiguous indication of that consent definition in particular cases.

Explicit consent is required in certain situations where serious data protection risk emerge, hence, where a high level of individual control over personal data is deemed appropriate (GDPR consent guidelines WP29, December 2017)

Although the consent guidelines go far beyond explicit consent alone, we take a deeper dive into the topic and the December 2017 consent guidelines by the WP29 (European Data Protection Board), particularly regarding explicit content.

Explicit consent matters regarding the even higher levels of control and data protection a data subject has in the case of special categories of personal data and special types/circumstances of personal data processing. Of course, you don’t have to work with consent in general. Again, there are other conditions for the lawfulness of processing personal data. Explicit consent mainly comes into the picture in three ‘consent’ circumstances. Let’s sum them up before looking at the guidelines.

Explicit consent and the processing of special categories of data

In the second paragraph of Article 9 of the GDPR, which covers the essential rules regarding the special categories of personal data, the GDPR text says that the general prohibition of processing such ‘sensitive’ personal data categories, does not apply in several cases.

One such case is indeed when the data subject has given explicit consent. From Article 9: “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”.

Explicit consent and automated individual decision-making, including profiling

GDPR Article 22 covers the main aspects of automated individual decision-making and profiling, a topic that gets special attention in the GDPR.

This also includes explicit consent. In that Article 22, the GDPR states that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.

However, here too there are exceptions of course, with one of them being that this doesn’t apply when this type of data processing is based on the explicit consent of the data subject.

Explicit consent and derogations in international data transfers

A third area where explicit consent is mentioned in the GDPR text is that of data transfers to third countries or international organizations, particularly when there is no adequacy decision (Article 45) or appropriate safeguard (Article 46).

In this case explicit consent to the data transfer can take place after all if the data subject has been adequately informed of the risks of consenting to these kinds of transfers because of the lack of, among others, an appropriate safeguard as is mentioned in Article 49.

Obtaining explicit consent – the guidelines, mechanisms and meaning regarding explicit consent

The WP29 guidelines state that the term ‘explicit’ refers to the way consent is expressed by the data subject. Explicit consent then means that the data subject must give an express statement of consent, for instance in a written statement.

However, although a signed statement is, obviously, very explicit, it isn’t the only way to get explicit consent the WP29 guidelines emphasize.

Explicit consent mechanisms and the duty to demonstrate consent

The guidelines specifically look at the additional mechanisms to obtain explicit consent in this day and age where we do write less and use several other ways to not just consent but also to explicitly consent.

Think about mechanisms with typically two steps as you know them from double opt-in email whereby an additional confirmation is needed before you are really registered. Obviously, the cases in which explicit consent is needed can’t be really compared with signing up for an email newsletter but do note that in the eyes of the WP29 explicit consent can include several (online) means.

The issue you need to take into account though is that, by definition, when you are in a situation of explicit consent this means that consent is chosen as the lawful basis for processing personal data. And when you chose consent that comes with a range of consequences such as the data subject’s right to withdraw consent but also with the duty of the data controller to be able to demonstrate that the data subject has given consent which is far from easy in many cases (the obligation to demonstrate a data subject’s consent is in Article 7 and in Recital 42 where the GDPR states that “where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”).

GDPR Recital 42 - where processing is based on the data subject consent the controller should be able to demonstrate that the data subject has given consent to the processing operation
GDPR Recital 42 – where processing is based on the data subject consent the controller should be able to demonstrate that the data subject has given consent to the processing operation

Two stage verification for explicit consent

That duty and ‘burden’ of proof of course also has an impact on the ways, beyond a written statement, one should try to obtain explicit consent in the mentioned cases.

The consent guidelines by the WP29 emphasize that explicit consent could be obtained through methods such as electronic forms, emails or the upload of scanned documents with the data subject’s signature (or an electronic signature) by way of examples.

What these methods have in common is that there can be a clear trail and explicit consent can be proven, which is of course not the case with oral statements giving explicit consent (but which are theoretically enough as the guidelines state).

Hence why a two stage verification method might be a good option in the case of explicit consent and prove it is valid and it is mentioned by the new consent guidelines for a reason.

Also note on the topic of explicit consent, the new guidelines state that, quote “It should be remembered that explicit consent is not the only way to legitimize processing of special categories of data, certain transfers of data et cetera. Explicit consent may not be appropriate in a particular situation and the GDPR lists several other possibilities to make sure these activities can be done in a lawful manner. For example, Article 9(2) lists nine other legal grounds for lifting the prohibition of processing special categories of data”.

Obtaining explicit consent: an example

The guidelines also give an example of obtaining explicit consent in the scope of special personal data categories (the mentioned sensitive ones).

The example: “A clinic for cosmetic surgery seeks explicit consent from a patient to transfer his medical record to an expert whose second opinion is asked on the condition of the patient. The medical record is a digital file. Given the specific nature of the information concerned, the clinic asks for an electronic signature of the data subject to obtain valid explicit consent and to be able to demonstrate that explicit consent was obtained.”

More consent guidelines from the Article 29 Data Protection Working Party here (PDF downloads immediately).

Top image: Shutterstock – Copyright: Rawpixel.com . GDPR Recital 42 image: Shutterstock – Copyright: Carlos Amarillo. Although our GDPR content has been carefully verified, we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.