Out-Law / Your Daily Need-To-Know

Limitations of consent shown in GDPR cases

Out-Law News | 28 Aug 2019 | 3:44 pm | 3 min. read

Recent regulatory action should serve as a reminder to organisations that consent cannot be relied upon as a basis for processing personal data in cases where they hold the greater power in their relationship with data subjects, a data protection law expert has said.

Claire Edwards of Pinsent Masons, the law firm behind Out-Law.com, was commenting after the Hellenic data protection authority and Sweden's Data Inspectorate separately took action against organisations for wrongly relying on consent to process personal data.

Edwards Claire

Claire Edwards


...even where it is lawful, [consent] may be entirely inappropriate and create other problems in terms of GDPR compliance...

In Greece, a PWC company, Pricewaterhousecoopers Business Solutions SA, was fined €150,000 after an investigation by the Hellenic data protection authority found that the business was responsible for failing to ensure of lawful, fair and transparent processing of its employees' personal data.

The Greek regulator said that the company had given employees "the false impression that it was processing their personal data under the legal basis of consent", when in fact it was relying on another legal basis which it had failed to notify the employees about. That lack of disclosure was a further breach of the GDPR's rules on transparency, as too was its inability to demonstrate compliance with the principles on lawful, fair and transparent processing, it said.

Even if consent was the legal basis being relied upon by the PWC company, it was not a valid basis for processing the employees' data, the Hellenic data protection authority said.

"Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties," the Hellenic data protection authority said in a summary of its decision. "In this case, the choice of consent as the legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest."

Consent is one of six lawful bases for processing personal data under the GDPR. To be valid, consent must, in general, be freely given, specific and informed, and also be an unambiguous indication of the data subject's wishes that is stipulated by a statement or by a clear affirmative action. Explicit consent is required in instances where businesses intend to process special categories of personal data, which includes biometric data.

In Sweden, the Data Inspectorate also took issue with an organisation's claims around consent. It fined a high school in the country after it trialled the use of facial recognition technology to monitor student attendance. The regulator determined that the school, in the town of Skellefteå, was responsible for processing sensitive personal data unlawfully.

According to a statement issued by the Data Inspectorate, the high school board claimed that it had obtained the consent of school pupils to process their data using the facial recognition software. The Data Inspectorate said, though, that that consent was invalid because there was an imbalance in power in the relationship between the school and its students.

The Data Inspectorate also said that student attendance monitoring could have been carried out in a less privacy intrusive way than through the use of facial recognition technology.

According to a statement issued by the European Data Protection Board (EDPB), the Swedish regulator also took issue with the fact the school had failed to consult it on its data protection impact assessment prior to proceeding with the trial.

The school was fined 200,000 Swedish krona (€18,600) in relation to its infringement. It is the first time that the Data Inspectorate has used its powers to fine an organisation since the GDPR took effect.

Claire Edwards of Pinsent Masons said: "These cases demonstrate that controllers need to be clear about exactly what type of data they wish to collect and the purpose of their intended processing so that they can select the appropriate lawful ground to press ahead with the processing."

"It is a common misconception that consent is required for all data processing, but as these examples show it can be invalid in some cases and, even where it is lawful, may be entirely inappropriate and create other problems in terms of GDPR compliance in others. This is a position that has been articulated by the UK's Information Commissioner's Office (ICO)," she said.