- Data controllers must proactively document the granting and electronic consent; the mere design of the website is not sufficient proof.
- Legacy consents remain valid only if they comply with the GDPR conditions, including individual documentation and information obligations.
- Lack of reference to right of revocation can render old legal consents ineffective; repapering would be costly and controversial.
- Arbitrary switching between consent and other legal bases is not permitted; switching remains possible in principle, but must be justified fairly and transparently.
The DSK (Data Protection Conference, the body of the German data protection supervisory authorities) has Brief Paper No. 20 on Consent under the GDPR published. It contains little new per se, but some references are noteworthy:
- Proof of consent: The responsible person must be able to prove that it has been issued. This obligation is not only to be understood as a burden of proof rule, but also as a documentation obligation. Electronic consents must be logged. It would not be sufficient merely to prove the proper design of the relevant website if consent cannot be proven in the individual case.
- Continued validity of old-law consentsAccording to Recital 171, consents given prior to the entry into force of the GDPR shall continue to be valid, provided that the nature of such consents “complies with the conditions of this Regulation” (the GDPR). This requires, among other things, that the consent is documented in the individual case, that it was given voluntarily, that it was given for the specific case, informed and unambiguous, and that the controller enables revocation and informs how it can be revoked.
The second point is problematic in that it renders old-law consent invalid if, among other things, the right of revocation was not pointed out when it was granted. This point is disputed in the literature. In my opinion, this goes too far. If the DSK’s view is followed, such consent would have to be obtained again (“repapering”), which can be enormously time-consuming.
Regarding the change to an alternative legal basis, the FSC comments as follows:
Basing the data processing in this case on another legal basis, for example the protection of legitimate interests of the controller or a third party (Art. 6(1)(f) DS-GVO), is in principle inadmissible, because the controller must observe the principles of fairness and transparency (Art. 5(1)(a) DS-GVO). In any case, arbitrary switching between consent and other legal bases is not possible.
The FADP thus leaves open the possibility of changing to an alternative legal basis. This could be considered, for example, if a previous legal consent is no longer effective.