- Freely given (i.e. real choice and control). An example is when individuals have to agree to get access to a website; then they do not have choice and control and consent is not freely given. Employers and other organizations in positions of power over individuals should avoid relying on consent as it is unlikely that it is freely given.
- Specific (i.e. the description of the reason for the purpose of the processing must be granular and must be separate from information about other matters). An example is when a website seeks to market to an individual by mail and by phone, the individual must be able to consent separately to mail and to phone.
- Informed (i.e. the individual must know the controller’s identity, the purpose of each processing operation for which the controller is seeking consent, the type of data that will be collected and used, the existence of the right to withdraw consent, if relevant the existence of the right not to be subject to automated decision-making, including profiling, and the possible risks of transferring personal data outside the EU).
- Unambiguous indication of the individual’s agreement to the processing of personal data (i.e. there must be a clear affirmative and deliberate action). An example is when an individual checks a checkbox.
All of these requirements must be met. Furthermore, individuals must be able to withdraw their consent, and it must be easy for them to do so.
The subject of the next blog is one of the other common legal grounds for a controller to process personal data: legitimate interests.
This blog is the 18th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.