GDPR: are the current data processing consents nothing but rubbish?

The personal data processing consents obtained to date will not become invalid if obtained in line with the requirements set out in Article 7 of the GDPR.

As stated by the Inspector General for the Protection of Personal Data (GIODO), it is not necessary to confirm the validity of the consents obtained by entrepreneurs under the current Personal Data Protection Act, provided that such consents are in compliance with the Regulation of the European Parliament and of the Council (EU) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and evidenced to have been given by a person in a conscious, voluntary, specific and explicit manner.

GDPR: are the current data processing consents nothing but rubbish?

The personal data processing consents obtained to date will not become invalid if obtained in line with the requirements set out in Article 7 of the GDPR.

In justifying its position, the GIODO refers to motive 171 of the General Data Protection Regulation (GDPR), whereby “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”

Further, the Working Party set up under Article 29 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which is an independent advisory entity, has discussed this issue before and issued guidelines whereby the current consents would not automatically become invalid upon the entry into force of the GDPR if they are in line with the Regulation.

Doubts in this respect have arisen with regard to the interpretation of the condition set out in Article 7 (3) of the GDPR regarding the consumer’s right to withdraw his/her consent at any time and providing information of such right before the consent is given because entrepreneurs did not have the obligation to provide such information before. In view of the foregoing, the following question arose: “In order for the consent to remain valid, is it necessary to notify each consumer who has given such consent of the right to withdraw it at any time?”. According to the GIODO, there is no such obligation and it is sufficient to create adequate mechanisms enabling withdrawal of the consent at any time.

At the same time, in the standpoint published by the GIODO, personal data controllers are encouraged “to review the relevant clauses and mechanisms for obtaining consents and make sure that they meet the standards set out in the general regulation and that the consents are not required to be obtained again. Further, bearing in mind the accountability principle, any activities related to obtaining consents should be documented – e.g. when and in what circumstances the consents were obtained and how the obligation to provide information was complied with.”

The accountability principle is also one of the most important issues introduced by the Regulation. In accordance with the accountability principle, the personal data controller will be obliged to implement the appropriate technical and organisational measures to store the data obtained by the entrepreneur which must be in line with the principles contained in the Regulation, i.e. the lawfulness, fairness and transparency principle, purpose limitation principle, data minimisation principle, data accuracy principle, storage limitation principle, and integrity and confidentiality principle. Failure to apply even one of the above principles will result in an infringement of the Regulation.

Please be reminded that the General Data Protection Regulation (GDPR) will become effective on 25 May 2018.