Recital - 42.
Burden of Proof and Requirements for Consent
Executive Summary
When you collect consent, tag it and keep it for the period of data processing. I would recommend a content indexer.
Quick Wins
Keep a record of consent statements received, so [the controller] can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time. [and] also be able to show that the data subject was informed and the controller's workflow met all relevant criteria for a valid consent. With that guidance in mind, and from a practical standpoint, consider keeping records of the following:
The name or other identifier of the data subject that consented;
The dated document, a timestamp, or note of when an oral consent was made;
The version of the consent request and privacy policy existing at the time of the consent; and,
The document or data capture form by which the data subject submitted his or her data.
Consent receipt mechanisms can be especially helpful in automatically generating such records.
Recital Text
Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given.In accordance with Council Directive 93/13/EEC¹ a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Recital - 43.
Freely Given Consent
Executive Summary
Consent can only be valid if it is specific to the processing activities.
Quick Wins
Keep written proof of consent to collect and process. This consent is not transferable and can only be used for the purpose agreed to when consent is given. This consent also needs an expiration date to be valid.
Recital Text
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
Executive Summary
Maintain records of consent to process data along with the precise associated purpose and a valid expiration date.
Article ID: 285
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-lawfulness-of-processing-record-of-consent-285.html