What is the difference between the "unambiguous" consent and the "explicit" consent required in the GDPR to process personal data?

Go to the profile of Jeremy Swinfen Green
Jeremy Swinfen Green on Dec 20, 2016 • 1 answer
With the GDPR coming into force in less than 18 months, marketers need to understand what "unambiguous" consent, delivered through an "affirmative" action, means. Unlike "explicit" consent, "unambiguous" consent can presumably be implied, but with "silence, pre-ticked boxes or inactivity" specifically ruled out, what sort of affirmative actions might imply permission to process personal data?

Answers

While it’s certainly true that the GDPR says “Silence, pre-ticked boxes or inactivity should not … constitute consent”, it’s worth noting that it also says consent can be given through “another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data”.

Consider for example the patient who walks into a doctor’s office and tells the doctor all about the medical ailment from which he or she is suffering, while the doctor enters notes into his computer system. Or the person who drops their car off at the mechanic and gives their phone number so the mechanic can call them once their car is ready. In neither case can it be said that the individual gave their explicit consent - at no point did they explicitly tick, sign or say anything indicating “I agree to the processing of my personal data by X for the purposes of Y and Z”. And yet, in both cases, it’s hard to deny that consent has been given through “an affirmative act” by means of a “statement or conduct which clearly indicates in this context the data subject’s acceptance”.

Put another way, their consent is unambiguous and implied, but not explicit.

Go to the profile of Matthew Lloyd Davies
Matthew Lloyd Davies on Jan 05, 2017