Zum Inhalt Zum Hauptmenü


Silence does not constitute consent to data processing

Der Standard
23. April 2018

GDPR sets clear criteria for information obligation

It is a myth that under the General Data Protection Regulation (GDPR), data subjects must always agree to the processing of personal data. Many data processing activities can already be carried out without explicit consent on the grounds of legal bases or even obligations such as the fulfilment of contracts or the protection of legitimate interests. That will not change. However, the examination is carried out in the reverse order: it is only necessary as a last resort if none of the standardized justification reasons apply.

If consent is required, it must be given explicitly and actively by the data subject. Silence, pre-checked boxes or other inactivity are not enough. In addition, the consent must be verifiably obtained. In practice, therefore, clean documentation must be ensured - e.g. in writing or verifiable electronic processes.

Voluntariness and revocability

The most important requirement for a valid consent is its voluntariness and revocability free of charge and at any time. Where there is an imbalance between the parties, such as between the data subject and his employer or an authority, particular balance must be struck.

The prohibition of coupling also comes into play: If the declaration of consent is made dependent on the conclusion of the contract, it is in most cases inadmissible. In practice, the greatest conversion effort is required here, since marketing approvals were previously often hidden in general terms and conditions. They must now be removed and offered as a separate, voluntary option.

Consent must be given in a clear, simple language - with at least this content:

  • Name/Address of the controller
  • The types of data used
  • Detailed statement of purposes
  • Name/address of the recipients
  • Transmission purpose
  • Reference to the uncomplicated withdrawal at any time, free of charge
  • Link to further privacy policy according to Art 13 GDPR.

The challenge is to describe the processing scope in as much detail as possible, while at the same time informing the data subject briefly, concisely and in simple language. In addition, the possibility of withdrawal at any time must also be effectively ensured in the processes and systems.

For entrepreneurs, this means specifically comparing their contract documents and consent processes on the basis of the new criteria and, if necessary, obtaining new consent in good time - especially if the previous consent does not meet the GDPR criteria and is therefore in the worst case no longer required as the legal basis with 25 May.

© 2020 · DORDA · Facebookinstagramlinkedin  PODCAST