A consent request needs to be presented in a clear and concise way, using language that is easy to understand, and be clearly distinguishable from other pieces of information such as terms and conditions. The request has to specify what use will be made of your personal data and include contact details of the company processing the data. Consent must be freely given, specific, informed and unambiguous. Informed consent means that you must be given information about the processing of your personal data, including at least:
- the identity of the organisation processing data;
- the purposes for which the data is being processed;
- the type of data that will be processed;
- the possibility to withdraw consent (for example by sending an email to withdraw consent);
- where applicable, the fact that the data will be used solely for automated-based decision-making, including profiling;
- information about whether the consent is related to an international transfer of your data, the possible risks of data transfers to countries outside the EU if those countries are not the subject of a Commission adequacy decision and there are no adequate safeguards.
Consent not requested as per terms of the law
You enrol at a music school to take piano classes. The enrolment form contains a long document drafted in small print using highly legal and technical terms, which includes the possibility that the school may pass on your personal details to retailers selling musical instruments. The school is in breach of the law as your consent to receive marketing material (potentially from instrument retailers) was not requested as stipulated by law.
You’re opening a bank account online and want to confirm your request. You are shown a page with two tick boxes saying ‘I accept the terms and conditions’ and ‘I agree that the decision whether I am entitled to a credit card is solely based upon profiling without any human intervention’. Both tick boxes are activated (checked) by default. You have to deactivate the tick box if you don’t want to be subject to a decision on whether you are entitled to a credit card based solely on profiling. Even if you don’t deactivate the tick box, the bank would not have obtained valid consent as pre-ticked boxes are not considered to be valid consent under GDPR.
- Articles 6 and 7 and Recitals (42) and (43) of the GDPR
- Article 29 Working Party Guidelines on Consent under Regulation (EU) 2016/679 (WP 259)