FYI, I provided the following comments in response to the GDPR Article 29 public consultation today. This underlines the benefits of Advanced Electronic Signatures, as used by eIDAS eSignatures.
As per the instruction on the Article 29 Working Party Newsroom we would like to provide the following comments on the Guidelines on Consent under Regulation 2016/679 (wp259).
Page 19, Section 5.1 : Demonstrate consent. "In Article 7(1), the GDPR clearly outlines the explicit obligation of the controller to demonstrate a data subject's consent"
Our concern is that the obligation to demonstrate consent must be to the 'data subject' as well as to a court of law. The controller must not introduce obstacles that would prevent the data subject being able to verify the evidence, without involving the courts. This enables dispute resolution to be performed more easily, quickly and at less expense. It is our recommendation that this right (of the data subject) should be made more explicit within the document.
To put this into context, consider the scenario whereby explicit consent is captured via a written statement, containing the handwritten signature of the data subject. In this case, the data subject has the right to request a (e.g. scanned) copy of this signed statement, together with proof of receipt (e.g. a company date stamp or seal) by the data controller.
In comparison, where a controller chooses to capture consent via electronic means, they must equally ensure that the evidence of consent, including receipt, is shareable with the data subject.
Finally, in the case of consent revocation, the data subject must also be able to request a copy of the consent revocation evidence, including proof of receipt.
Example of best practice
A controller chooses to capture consent electronically via the use of Advanced Electronic Signatures (as per the eIDAS regulation). The controller provides the data subject with the means to electronically create the signature. A Commitment Type of #ProofOfApproval is specified. On receipt, the data controller countersigns the data subject's signature. A Commitment Type of #ProofOfReceipt is specified. On request, the controller can provide a copy of the Advanced Electronic Signature collateral to the data subject. This can be easily verified using a 3rd party service.