We all know by now that one of the key underpinnings of the General Data Protection Regulation (GDPR) is data subject rights, including requirements for obtaining consent from data subjects. In our industry, that includes consent from job candidates.
Companies building their GDPR compliance programs are making choices about how the consent requirements apply to their specific businesses and operations. In December 2017, the Article 29 Working Party published draft guidance on the rules for valid consent under the GDPR. The 30-page guidance document underscores rigorous requirements that can vary from how consent is frequently handled by companies in the U.S. and other non-EU countries.
The draft provides guidance on what is necessary to satisfy each element of the definition of consent under the GDPR, including requirements that for consent to be valid it must be “freely given”, “specific”, “informed” and an “unambiguous indication of the wishes” of the data subject. The guidance points to the following factors that may impact whether a consent is, in fact, freely given for GDPR purposes:
The guidance also makes clear that some means of obtaining consent, such as pre-checked boxes or other opt-out methods, will not constitute valid consent under the GDPR. The guidance also cautions that blanket consent to terms and conditions that include consent language will not constitute consent.
The guidance examines the interplay between consent as a controller’s legitimate basis for processing and other lawful grounds for processing. Under the guidance a controller that asks for a data subject’s consent to process personal data “in principle” should not be able to rely on other lawful bases for processing as a “back up” if the controller cannot demonstrate that valid consent has been obtained or if consent has been withdrawn.
With respect to withdrawal of consent, the draft guidance discusses the requirement that it must be just as easy for a data subject to withdraw consent as it is for the data subject to grant consent in the first instance. The Working Party opines that it would not be valid, for example, for a company that obtains consent online to require a data subject to call the controller in order to be able to withdraw consent.
It is unclear when final guidance will be issued by the Working Party. Given, however, that GDPR compliance is required by May 25th – and much of the draft guidance is based on earlier opinions from the Data Protection Authorities – organizations may find the draft guidance useful as they formulate their approaches to consent.
About the Author: Neal Dittersdorf, iCIMS General Counsel, Privacy Officer & Corporate Secretary
Neal Dittersdorf joined iCIMS in 2016 as general counsel and corporate secretary. In his role, Dittersdorf oversees the company’s legal, compliance, information security and risk management functions. He also is responsible for corporate governance, serving the Board of Directors as corporate secretary.