GDPR myth busters – Part 1

The GDPR is effective since 25 May 2018. Before and after, there was a lot going on. Hardly any other topic has been talked about and published so much. Unfortunately, the numerous publications with the allegedly “best” references and recommendations have not resulted in an understanding amongst the “data controllers” of what it is about. On the contrary, there is still general confusion about the implementation of the GDPR. Best example: The flood of newsletter emails before and after 25 May 2018, with the request to give consent again (or for the first time) or simply with the information that newsletters will not be sent in the future due to lack of consent. What is true and what is wrong? Lots and lots of questions, but no satisfying answers. With this series, we want to give the required answers: What myths are there about the GDPR? What is right and what can be refuted?

The biggest GDPR myths about consent:

In data protection law, the principle applies: The processing of personal information is prohibited, unless the law or the data subjects permit it. This permission is called Consent and is the linchpin of the GDPR. The law places strict requirements for consent. But what is it exactly and is everything that you hear about it true? Nine misconceptions about consents under the GDPR:

1. Consent must always be obtained in writing!

With the form of the consent, the GDPR complies with the data controller. For example, in Sec. 4a of the former German Federal Data Protection Act (FDPA), the written form for consent in the processing of personal data was so far ordered. According to the GDPR, a written form is not necessary anymore. A “declaration or other affirmative action” suffices, i.e., theoretically, even a nod would be enough. However, only in theory, because data controllers must prove that the consent has been given effectively (obligation of documentation and proof). This may be difficult when you have only a nod. Instead, the active clicking on a check box (opt-in) is sufficient.

Caution: A check box where the box had already been ticked and has to be deactivated (opt-out), is not considered an effective consent.

2. Consents, which were obtained before the rule of the GDPR are invalid!

That is not correct. The European legislator has decided in favour of the processors that also consents obtained before 25 May 2018 remain in full force and effect. This means, that once effectively obtained data protection legal consents do not need to be obtained again, as long as they also comply with the provisions of the GDPR. Since – for example in Germany – the previous requirements are very similar to those of the GDPR, in most cases a renewed request for consent will not be necessary.

Caution: There are special requirements for the consent of minors.

3. Minors can not give consent effectively!

It is true, that the GDPR sets rigid age limits for the effective submission of consent. The GDPR stipulates that minors can only effectively consent to the processing of their personal data by the age of 16 years. This age limit can be lowered by the member states up to the absolute lower limit of 13 years. For the processing of personal data of under 16-year-old persons data controllers need the approval of the person’s legal representative.

4. Consents can also be obtained later!

The myth, that it is not a matter of the timing of obtaining the consent, is not true. “Consent” is a legal term and means prior consent. The opposite of consent is the “authorisation”, i.e. subsequent consent that does not legitimise the processing of personal data.

5. For consent, the double opt-in procedure is mandatory!

First, it can be stated with certainty: The opt-out has become obsolete! Consents designed as opt-in (that is, ticking in a check box) must be granted actively. It is questionable whether the so-called double-opt-in is mandatory for the granting of consent. Under the Double-Opt-in procedure, the tick is set first. In addition, a provided link, e.g. when subscribing to the newsletter, must be clicked to confirm the consent. The advantage of this procedure is that it offers a simplified proof of the granting of consent, which is mandatory for the data controller’s obligations of documentation and proof. If this proof can also be provided with the single-opt-in method, this is enough, so that a double-opt-in procedure does not necessarily have to be carried out. However, it can be said: The Double-Opt-in offers more security against sanctions and two is better than one anyway!

6. One consent for all data processing is sufficient!

The idea that one blanket consent is sufficient for legitimacy of unlimited data processing is grossly wrong. The principles of consent are voluntariness and purpose. The person affected must be informed precisely regarding the purpose for which his data is used. He/she then has to decide for him/herself which processing operations he/she wants to agree to.

Caution: Voluntariness is not given if the rendering of a service is made dependent on the consent of a processing that is not necessary for the provision of the service (so-called prohibition of coupling).

Example: A customer orders goods in an online shop. During the ordering process, the customer is informed that the data entered (e.g. e-mail address, address, telephone number) can also be used for advertising purposes. In order to continue the ordering process, the customer must give his consent to the use of his data for advertising purposes. Since the consent to data processing is not needed for the provision of services (shipping of the product) the prohibition of coupling applies.

7. The revocation of consent must be equal to the granting!

A once given consent must be revocable for the future. New in this context is the regulation of Art. 7 para. 3 p. 4 GDPR: The revocation of consent must be as simple as the granting of consent. However, this does not mean that the revocation procedure must be completely the same as the one granted. Especially in online trading, the consent is usually given once via opt-in before the data processing begins and there is no possibility of removing the tick later, unless there is a customer account. The keyword is simplicity. As long as there is an easy way to revoke consent, this is sufficient. In newsletters, for example, this is possible by putting an unsubscribe-link to the end of the email or an opt-out option into the privacy policy.

Caution: The possibility of withdrawal must be made aware of clearly and easy to read.

8. I can not process any data without consent!

If consent or permission according to Art. 6 para. 1 lit. b or c GDPR are missing, data processing can also be based on legitimate business interests under certain conditions, insofar as these outweigh the rights and interests of the data subject (Article 6 (1) (f) GDPR). Even without consent, data processing is possible. According to the recitals of GDPR, economic interests and, in particular, direct marketing are expressly recognized as legitimate corporate interests. However, companies must in fact carry out a balancing of interests and this must be in favour of the company.

9. For every cookie I need a permission!

The subject of cookies and consent is still confusing under new data protection law. In any case, it is clear, that cookies represent personal data that must be measured against the GDPR. This means, that the use of cookies is generally prohibited, unless the data subject has consented, or it is subject to one of the permitted grounds of Article 6 GDPR. As described above, data processing in accordance with Art. 6 para. 1 lit. f) GDPR can be allowed, if there is a legitimate interest. This includes, inter alia, commercial corporate interests (e.g. advertising). It must always be considered, whether the interest in data processing outweighs the data subject’s interest in the protection of his/her data.

However, for good reasons, the setting of cookies for advertising purposes can be based on a predominant interest in accordance with Art. 6 para. 1 lit. f GDPR as long as the data is collected in a pseudonymous form. The pseudonymisation would meet the needs of the users’ legitimate interests. As a result, one would be back at the opt-out option. However, also in this constellation, it is useful, to use a cookie banner on which the website user is informed about the setting of cookies and their purposes.

Caution: The person affected must always be given the opportunity to object and must be clearly informed about this opportunity.