CONSENT AND CONTRACTS – PROMINENT PILLARS AS LEGAL BASES UNDER GDPR

The General Data Protection Regulation (GDPR) provides six choices for lawfully processing personal data. These choices are known as legal bases, as outlined below.

???????????? User’s consent. In most cases, you must ask your users to consent to the data collection and processing.

???????????? Execution of a contract. Sometimes you need to process user data to deliver products or services, and that’s where you can rely on this legal basis.

???????????? Legitimate interests. Where your business interests override the rights and freedoms of data subjects, you can process their data without consent. This includes very few cases, such as fraud protection, cybersecurity, etc.

???????????? Public interests. If the processing is required to fulfill a public interest that overrides the rights and freedoms of individuals, the processing is allowed. This basis has little impact on private companies but significantly impacts most public bodies.

???????????? Person’s vital interests. You can process someone’s data to protect their health or life.

???????????? Compliance with the laws. Some laws, such as employment or tax, require personal data processing.

This article will focus on two of the most commonly misunderstood concepts: Consent and Contract.

Contracts –

Every contractual agreement inherently requires the handling and processing of personal data. It is not feasible to participate in some contractual relationships without revealing personal information and pertinent identifiers, which may differ from contract to contract based on the nature of the contract.

While providing goods or services to a customer, it is necessary to handle their personal data for performance of the agreement/contract. This may involve collecting their name, residential address, contact number, email address, age, payment details, or any such other personal information. This personal data is essential for ensuring precise delivery of the products or services, facilitating customer support. In such type of contract in order to provide the goods/services, personal data processing will be a key necessary component of the contract.

In order to use Contract as legal justification, the following criteria must be satisfied:

? A contract is in place or is in the process of being created between you (the data controller) and the user (data processor), and user’s data is necessary for the contract's completion. For Example Purchase Agreement, Licensing Agreement, Terms of Service, Terms and Conditions, etc.

? The contract is valid according to the applicable legislation;

? You (The Data Controller) only collect and process the information needed for fulfilling the contract. Furthermore, an employment contract is not the same as a home loan agreement. A home loan contract is different from a health insurance agreement/contract. The controller must be able to prove the existence of a valid contract with the individual and the essential nature of processing for the contract's execution.

Whenever a human being or data subject is involved in a contract or is required to carry out actions to enter into a contract, at his own request, for the purpose of entering into or executing a contract, it is essential that both parties to the contract mutually accept that personal data processing takes place within the framework of that particular contract.

The expression "essential for the fulfilment of a contract" under GDPR should be understood in a stringent manner. The processing should be essential for meeting the contract obligations with each specific data subject. This might encompass activities such as handling salary particulars and bank account specifics to enable the disbursement of wages to employees etc.

A direct and objective correlation between the data processing activities and the contractual performance is essential to guarantee the effective implementation of the contract.

Contracts are to be used when processing is indispensable for contract performance. For instance, when making an online purchase, processing your contact information and address is crucial for service delivery, specifically for the successful delivery of your order. Without this, delivery will not be feasible.

For types of contracts, like insurance contracts, there may be additional obligations to fulfil. While dealing with contracts, make sure to carefully consider the specific regulations that are applicable to certain industries or job roles.

Consent –

Always ensure to obtain consent from your users before making use of their personal data in order to evade severe GDPR fines.

When processing someone's data with their consent, it is crucial to comply with the obligations outlined in Article 4(11) of the General Data Protection Regulation (GDPR). Additionally, Article 7 of the GDPR provides further clarification on the conditions for obtaining consent. The GDPR has raised the standards for obtaining valid consent and has also granted individuals the right to withdraw their consent at any given point in time.

?CONSENT MUST BE FREELY GIVEN.

The concept of "freely given" consent entails that the data subject has not been unduly influenced or pressured into granting permission for the use of their data. It is essential to recognize that consent cannot be classified as freely given if the data subject is devoid of a genuine or unrestricted choice, or if they are incapable of declining or retracting consent without suffering any adverse effects.

CONSENT MUST BE SPECIFIC

The consent request must be presented in a way that is clearly different from other matters. It is essential that the data processing activities are clearly defined, giving the individual the opportunity to consent to each activity separately.

CONSENT MUST BE INFORMED

Informed consent signifies that the data subject is informed of your (“Data Controller’s) identity, the specific data processing activities you (“Data Controller) intend to undertake, the purpose of the data processing, and their option to retract their consent at any point.

Additionally, this indicates that the consent request and the explanation of the data processing activities and their purpose are conveyed in a language that is simple and easy to understand, making them accessible to individuals in a clear and straightforward manner.

It is essential to avoid using technical jargon or legalese in order to ensure clarity. Individuals who utilize your services should be able to understand the terms and conditions they are being asked to agree to without any difficulty.

CONSENT MUST BE UNAMBIGUOUS

The consent of the data subject should be unambiguous. Silence, pre-selected options, or inactivity should not be interpreted as consent.

CONSENT CAN BE REVOKED

Under the GDPR, there is no defined duration for consent. An individual's consent is perpetual, however there may be scenarios where it becomes evident that the data subject’s consent is no longer legitimate or reasonable, or infringes upon certain data processing principles, in such circumstances, a data subject has the right to withdraw his consent at any time.

Moreover, it is essential to ensure that individuals can easily exercise their right to withdraw consent. The simplicity with which they can revoke their consent should be at par with the ease with which you (“Data Controller”) obtained their consent initially.

Although the GDPR consent requirements are relatively easy to comprehend, implementing them may prove to be more challenging.

?Consent Vs Contract – Key differences!

Primarily, Consent is the voluntary and informed approval given by an individual to enable an organization to process their personal data for a particular purpose. Consent places great emphasis on the independence and authority of the individual when it comes to their data, necessitating a clear and unequivocal expression of their willingness.

On the flip side, a contract is derived from a legal agreement between an organization and an individual. The processing of personal data becomes essential to comply with the terms of the contract, which may include the provision of a service or the fulfilment of contractual obligations.

?

Tushar Kale

Advocate, Freelance Writer for Privacy Compliance, Tech Law

#dataprotection #gdpr #consent #contract #privacy