GDPR consent requirements, one of the most difficult GDPR areas for businesses to comply with, have been further explained by Article 29 Working Party. This is our choice of highlights from the new GDPR Consent Guidelines.
Imbalance of power does not in all cases preclude valid GDPR consent
Although cases of consent by employee to employer are generally viewed with suspicion by WP29, EU’s top body for data protection clarifies some cases of such consent may be coercion-free. In some cases that do not essentially affect employment relations, employers may be able to offer meaningful, non-punitive alternatives to employees who do not give consent (e.g. alternative desk space of equal quality to people who refuse to consent to being shown on the camera).
Conditionality affecting GDPR consent
In order for GDPR consent to be valid, the provision of the service provided by the business should not be “conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. This does not fully exclude the possibility of obtaining a valid consent at the point of contracting. However, where consent is refused, the alternative service provided should be “genuinely equivalent” including in terms of “no further costs”.
Layout of a valid GDPR consent
GDPR consent rule prohibits hiding consent in other ‘Terms and Conditions’. But this does not prohibit layered notices as such, especially if one considers ‘small screens’ or otherwise limited space to accommodate information.