Nici nu iti pot da in detaliu ce fac cu datele alea, multe dintre modalitatile de folosire nici nu au fost inventate inca. Iar retragerea acceptului e cam aiurea, atunci cand ai dorit aplicatia respectiva ai acceptat ca ei sa iti iti stocheze datele, acuma dupa ani de folosire a produsului respectiv descoperi ca nu iti este "comod" sa respecti acceptul dat si doresti retragerea lui, dar nu renuntand la aplicatie ci doar negand accesul la informatia respectiva.
Dar dupa implementarea legii de care vorbesti sunt sigura ca la fiecare update de facebook (si restul de apps de gen) vei avea de semnat un nou license agreement si sunt curioasa cati dintre indignati vor citii lista de posibile prelucrari ale datelor personale pe care deja le-au oferit. O sa fie destul de lunga.
Madanic, pe GDPR consimțământul (acolo unde e vorba de obligativitatea consimțământului) trebuie dat pentru fiecare prelucrare de date, nu doar ca licence agreement la un update (vezi mai jos în roșu).
The legal definition of consent
The definition of consent at Article 4 (11) of the GDPR, may not initially appear to be a wholescale departure from that found within the DPD. Consent of the data subject means:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
those areas of text appearing in bold, reflect our emphasis to show where the new definition of consent in the GDPR expands on the old definition of consent under the DPD.
Looking first at the specific points of difference from the DPD, it is apparent that these changes do extend the requirements for consent.
"unambiguous" - there must be an unambiguous indication of the data subject's wishes meaning, in practice, that the way the consent is collected should leave no room for doubt about the data subject's intentions in providing their agreement to their personal data being processed. This may be relatively straightforward to achieve where consent is being sought for a single processing activity, such as signing up to receive a newsletter, but will potentially be harder to demonstrate where the personal data collected is to be processed for multiple purposes.
"statement or clear affirmative action" - this ties into the second new element of the definition of consent around the components for proof, meaning that there needs to be a positive indication of agreement by the data subject to their personal data being processed and that is not based, for example, on silence, pre-ticked boxes or inaction on the part of the data subject. Examples referred to at Recital 32 include ticking a box when visiting a website, choosing technical settings for online services or another statement or action which clearly indicates in that context, the data subject's acceptance of the proposed processing of their data.
There is also further detail found variously within the Articles and the Recitals to the GDPR that provide supplementary meaning around those terms within the definition that we are more familiar with from the current consent definition under the DPD.
"freely given" - current guidance on interpreting freely given consent takes the approach that there should a genuine choice on the part of the data subject when providing their data and that they should not have been misled, intimidated or negatively impacted by withholding consent. The GDPR seeks to formalise this view at Article 7 and also by way explanation within the separate Recitals so that consent will not be regarded as freely given where:
- the data subject has no genuine or free choice or is unable to refuse or withdraw consent easily and without detriment, (Article 7(3) and Recital 42);
- the conditions of a contract (including the provision of a service) are conditional on consenting to the processing of personal data that is not necessary for the performance of that contract, (Article 7(4));
- there is a clear imbalance between the data subject and the controller. The example given at Recital 43 is where the controller is a public body, however it is worth noting that another relationship where an imbalance or element of subordination can exist in is that between an employer and an employee), (Recital 43); and
- • separate consent cannot be given to different data processing operations, despite it being appropriate in the individual case, (Recital 43).
"specific" - consent must be obtained in a manner that is distinguishable from other matters. It must cover all processing activities carried out for the same purpose or purposes and where processing has multiple purposes, consent must be given for all of them, (Article 7(2) and Recital 32).
"informed" - there are a number of references within the Articles of the GDPR and the Recitals that adds some colour to this requirement, in particular:
- the data subject should be aware at least of the identity of the controller and the intended purposes of the processing, (Recital 42);
- data subjects must be informed of their right to withdraw consent at any time prior to giving consent, (Article 7(3)); and
- to the specific information requirements found at Articles 12 to 14 of the GDPR that set out the information that must be given to the data subject to ensure fair and transparent processing.