Consent “opt-in” and “opt-out” in data processing

Written By

👩‍💻 Most service contracts (including e-shops, social networks) are not conceivable today without a clause or a separate agreement on the purpose and types of processing the customer's personal data, thereby obtaining the consent of the customer, the data subject. This is the case since the first paragraph of Article 7 of the General Data Protection Regulation (GDPR) on the conditions for consent provides that “where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

Such an authorisation to process personal data should therefore be easily understood, simple, verifiable, and easily revocable.

Given the importance of data processing in both providing services and data analysis, many companies have faced the issue of how best to design their consent. In order to gather as much data as possible, an enterprise may be tempted to tick a box in an agreement on behalf of the customer instead of the customer themselves, which could easily be removed before, for example, a digital form is passed. Also in contracts, as if because of the convenience of the customer, companies sometimes write the processing consent in the form of denial (for example, by asking you to tick ways that the customer DOES NOT WANT to communicate). Such a flawed choice is called an “opt-out” principle that does not comply with GDPR.

It should be noted that such an opt-out makes it very difficult to acquire consent from the data subject. The client's permission must be expressly and actively granted, so one that is given in the form of denial or by choosing certain processing by default instead of the client cannot be permissible.

In order to prevent confusion, the company must clearly describe the purposes and types of data processing and allow the customer to choose whether they agree, to what extent, and in what ways. This can be done by allowing the client to check checkboxes or sign for all or part of the data processing.

On the other hand, it may also be a statement in the form of an approval, with an explanation of the possibilities for changing the consent to which the data subject agrees with his signature on the entire contract.

To do this perfectly, a good data protection professional can help a company not only comply with the law but also help customers to be satisfied and well-informed.

Previous

Voluntary carbon markets: a public-private cooperation in progress.
Next

Forest coverage in Latvia: a disputed forest area does not reflect the biodiversity of it.