All processing of personal data must be based on a legal basis. Consent is one of the six lawful bases in GDPR. One of the most important aspects of personal data processing for organisations is that each processing of personal data must be based to one of the lawful bases outlined in Article 6 of the GDPR.
One of the lawful bases that can be used is consent (Article 6(1)(a). However, it is important to remember that consent is not always appropriate and not always necessary, as one of the other lawful bases in the GDPR may be applicable.
It is a common misunderstanding in a contract-based relationship, consent is always required for processing of personal data. However, there is a lawful basis concerning the performance of a contract, Article 6(1)(b), that can be used for the processing of personal data necessary for fulfilling the contract. For that processing of personal data, no other lawful basis is required.
Consent can be given orally, in writing, or through a obvious affirmative action. A key consideration is that there should be evidence that consent has been obtained. In the event of a dispute, you must be able to prove that valid consent is the basis for the processing of personal data. In many cases, it is easier to prove a written consent than oral one.
Conditions for using consent as a lawful basis
Informed
The person giving the consent must be informed. This means that the data controller must inform the individual about the specific processing of personal data that the consent pertains to. The information provided must be easily accessible, understandable, and in clear and plain language. The information should include, at least, the following:
- Who is requesting the consent. (The person or organisation that is the data controller. This may seem obvious, but in some situations, it can be more complicated, for example, it there are multiple parties involved in the same service where the processing of personal data takes place.)
- What types of personal data will be processed.
- The purpose or purposes of the processing.
- That consent can always be revoked!
Freely given
The individual must have the freedom to refuse consent without facing negative consequences. Therefore, consent is not appropriate in situations where power imbalances exist, such as in an employment relationship.
Unambiguous
Consent must be actively given and clear. For example, a pre-ticked checkbox does not constitute valid consent as it lacks an active choice. Moreover, individuals have the right to withdraw their consent at any time. In such cases, the data controller must cease processing the personal data based on that consent.
Publishing Pictures of Employees on Website – An Example of When Consent is Inappropriate
Many companies and authorities feature pictures of their employees on their website. This processing may be lawful, but usually not based on consent.
Authorities
For authorities, the processing may instead be based on the lawful basis of public interest (Article 6(1)(c), provided that the purpose is to inform about the authority’s activities. Public interest as a lawful basis requires support in law, another regulation, or a collective agreement. However, individuals have the right to object to the processing of their personal data.
Authorities cannot rely on the lawful basis of legitimate interests (Article 6(1)(f). They also typically cannot rely on consent as a lawful basis, as in many situations, there is not an equal relationship between the individual granting consent and the authority.
Public interest should not justify having all employees’ profile pictures on the website, instead, employees with public and important roles may be justified by the lawful basis.
Companies and Private Organisations
The reason why consent is not always appropriate in employment relationships is due to the fact that the employee is in a dependent relationship with the employer. It is difficult to demonstrate that consent is given voluntarily when there are unequal power dynamics between the parties.
For companies, processing may sometimes be based on the lawful basis of legitimate interests (Article 6(1)(f), provided that the purpose is to inform about your business activities. In a Legitimate Interests Assessment (LIA), one weighs the individual’s interest in not having their personal data processed against the company’s interest in processing the personal data. For example, there may be reasons that outweigh for the company to process personal data for direct marketing or to prevent fraud. A Legitimate Interests Assessment should always be documented.
In addition to the lawful basis used, it may be beneficial to consider which individuals appear on the website. It may not be justified in a Legitimate Interests Assessment to display pictures of all employees, but employees working in customer service or in public-facing roles may be justified in having them on the website.
If consent were to be used as the lawful basis, it is important to reflect on whether it is genuinely voluntary for employees to be displayed on the website or not.