Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

Data watchdogs called on to clarify organisations duties on consent under GDPR


Data protection authorities have been called on to clarify what organisations need to do to remain compliant when seeking to process personal data on the basis of consent under the General Data Protection Regulation (GDPR) .

One of the ways in which organisations can lawfully process personal data is where they have obtained a person's consent to do so.

Stakeholders from business groups, civil society and academia urged the watchdogs to explain whether organisations need a person's consent "for every single processing operation", or whether a more general consent can be obtained for "every purpose" of processing they intend to engage in, according to notes from an April GDPR workshop hosted by officials from a committee of data protection watchdogs, the Article 29 Working Party.

Data protection authorities were also asked to clarify whether businesses will be free, under GDPR, to set out recommended privacy settings if they "still require an affirmative action from the user in order to choose" how their data is used.

The mechanisms by which consent can be obtained, and the issue of whether existing consents need renewed, also need to be clarified, the stakeholders said.

Data protection authorities should also clarify whether businesses can require consent to data processing to be given by consumers as a condition of providing those people with a service, they said.

The Article 29 Working Party is expected to issue guidelines on consent under GDPR later this year. The UK's Information Commissioner's Office has already produced draft guidance on consent under GDPR and is expected to set out finalised guidance on the subject next month.

Guidance on consent should be flexible and be "future oriented" in respect to "how technology works", said the stakeholders, who also said that obligations on consent "should not lead to a fatigue of the users".

According to the notes, the stakeholders also called for greater clarification from data protection authorities on how businesses can meet their GDPR obligations to report major data breaches, and comply with the Regulation's rules on profiling.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.