The Danish Data Protection Agency updates guidance on consent – what does this mean for you?
When processing personal data, the data controller must ensure that the necessary basis for processing is in place, cf. Articles 6 and 9 of the General Data Protection Regulation. Consent is one of the legal bases that the data controller can use if the conditions for this are met. The Danish Data Protection Agency updated its guidelines on consent as a basis for processing in May 2021, and you can read more about this below.
Public authorities
One of the conditions for using consent as a basis for processing is that the consent has been given voluntarily, cf. Article 4(11) of the General Data Protection Regulation. If there is a clear imbalance between the data subject and the data controller, such as between a public authority and a citizen, consent cannot normally be used. This is because it will often not be considered to have been given voluntarily. Odd party relationships may also arise in other relationships where there is the mentioned degree of imbalance between the data subject and the data controller.
It is with regard to public authorities, among other things, that an update has been made to the Danish Data Protection Agency’s guidelines. If the citizen’s refusal to give consent is in fact of no significance to the authority’s case processing of a service or permit for the citizen, consent may be used as a basis for processing. Even if there is a clear imbalance between the two parties. An example of this could be an offer from the municipality to send an SMS to the citizen in connection with the collection of bulky waste. In this case, it will not affect whether the garbage is collected or not, whether the data subject gives his/her consent. Therefore, consent can be used in such a situation.
Scrolling and swiping
Another of the conditions for the use of consent as a basis for processing is that the expression of intent must be unambiguous, cf. Article 4(11) of the General Data Protection Regulation. This means that the statement must not give rise to doubt as to whether consent has been given.
A swipe can be a way for the data subject to give consent. However, this requires that the necessary information is made available and that it is clear that the movements are an expression of consent from the data subject.
However, the updated guidelines from the Danish Data Protection Agency state that scrolling and swiping through a website or other similar user activity cannot be considered an unambiguous expression of intent. The reason for this is that it is difficult to distinguish this action from other user activity. Therefore, the act cannot be considered consent.
This means that a swipe after a specific assessment can meet the requirements for consent in the GDPR, but that scrolling and swiping through a website or other user activity will never meet the requirements for consent.
Another thing is that it will also be difficult for the data subject to withdraw his or her consent as easily as it was to give consent. This is also a condition under Article 7(3) of the General Data Protection Regulation.
What the update to the consent guidance means for you
The Danish Data Protection Agency is updating its guidelines on consent, and the changes mean that the public authorities have been given wider access to use consent as a basis for processing. For private employers, the changes mean that a scroll or swipe through a website cannot be considered a valid consent under the GDPR.
You can also read more about data protection here.
Contact a specialist
Are you in need of clarification in relation to a specific case? For example, regarding the requirements for consent as a basis for treatment or something else, we are ready to help. We can both help you authorize your treatments, but also clarify how long and how you most appropriately process the personally identifiable data.