New orientation guide on data processing consent declarations
Where the intended use of data goes beyond the purpose of the fulfilment of contractual obligations, companies often resort to consent declarations as a legal basis for processing their customer (and employee) personal data.
Just a short time after the publication of the orientation guide on private internet and email use at work (see here) Germany now sees its next new orientation guide, this time on data processing consent declarations in forms.
Published by the Düsseldorfer Kreis, a board in the conference of the federal and the state data protection commissioners of Germany, this important new orientation guide contains principles that companies which wish to base their processing of personal data on the consent of the data subjects should adhere to in order to ensure compliance with data protection law requirements.
Section 4a of the Federal Data Protection Act (BDSG) provides the following: Consent shall be effective only when based on the data subject's free decision. Data subjects shall be informed of the purpose of collection, processing or use and, insofar as the circumstances of the individual case dictate or upon request, of the consequences of withholding consent. Consent shall be given in writing unless special circumstances warrant any other form. If consent is to be given together with other written declarations, it shall be made distinguishable in its appearance.
The orientation guide now partially explains and partially completes section 4a BDSG.
Its eleven short paragraphs contain the following requirements:
Headings
The heading of the declaration must make it clear to the reader that he/she is asked to provide a data processing consent declaration in addition to the main contractual declaration such as an insurance agreement or participation terms and conditions. The guidance contains samples of what the authorities regard as being not sufficiently clear, such as "Explanation on data processing" or "Explanation on data protection", but also some positive samples of headings that can be used, such as "Data processing consent declaration" or "Consent declaration under the Federal Data Protection Act".
Unambiguousness
The orientation guide requires that the wording of the consent declaration must be unambiguous in its legal significance as a consent declaration. As a consequence, a wording such as "I am conscious that" will not be sufficient, whereas "I agree that" or "With your signature you provide your consent" will be preferable. In addition, the consent must clearly be given by the data subject, so that opt-out solutions will not be in compliance with legal requirements.
Voluntariness
Any data processing consent declaration must be based on the data subject’s free decision (a mere repetition of the clear legal requirement set out in section 4a). Any declaration given under pressure or duress is invalid.
Highlighting
A data processing consent declaration contained in forms must be highlighted against the other parts of the text. Feasible ways to ensure such highlighting are bold print, font type and size, colouring of the text or its background or a framing of the text.
Positioning
In a form which also contains general contractual terms and conditions the consent declaration should be positioned directly at the end of the form. It will not always be necessary to obtain two separate signatures, although this would be especially data protection friendly. Where the details are extensive, it is also possible to combine a short consent with a reference to a longer text contained on the back of the form or in an appendix.
Separation
Explanations on data processing, such as, for example, on the basis of legal provisions, and the consent declaration in a strict sense shall be separated so that the data subject can clearly understand what is (and what is not) covered by his/her consent declaration.
Unambiguous assignment
Where data processing can be based on legal provision, it shall not also be covered by a consent declaration. Where, on the other hand, it is unclear whether a legal provision may be regarded to be a sufficient basis of a data processing, covering such processing in the consent declaration shall be unobjectionable.
Consent in case of special categories of personal data
Where a consent declaration shall cover also the processing of special categories of personal data (a person’s racial or ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life), the wording of the consent declaration must be explicit in this regard.
Content of consent declarations
The wording of a consent declaration shall explain the data and the purpose of their processing in clear and generally understandable terms. The withdrawal option should be mentioned explicitly - and in the case of telemedia it has to be. Where data transfers to third parties are envisaged, this must be explained in transparent words - but attention should also be given to the fact that a vast number of third party recipients may be contradictory to the requirement of transparency and lead to the invalidity of the consent declaration.
Consent in context of telemedia
In the context of telemedia it must be ensured that the consent declaration is being given knowingly and in an unambiguous way. It must be protocoled and possible for the user to access the content of the declaration at any point of time as well as to withdraw the consent declaration. Information on these points can be contained in the data protection declaration.
Marketing consent declarations
As far as marketing consent declarations are concerned, the orientation guide contains a reminder of the application note on the collection, processing and use of personal data for marketing purposes, published by the Düsseldorfer Kreis in September 2014, which contains additional and more specific requirements.
