Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 Data Processing Under the GDPR: Consent as the Primary Legal Basis
Data Processing Under the GDPR: Consent as the Primary Legal Basis
October 31, 2017

By Dino Medina, Esq., General Counsel, CDS.

Set to take effect on May 25th, 2018, the General Data Protection Regulation (GDPR) is the European Commission’s latest attempt to strengthen the protections afforded the personal data of EU natural persons in connection with third-party processing activities. According to GDPR Article 5, “’processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction[.]” As a global provider of eDiscovery services, CDS is taking the necessary steps to comply with these enhanced requirements.

Chief among the GDPR’s protection enhancements are those surrounding the concept of data subject consent. Though consent – including the ability to refuse and withdraw consent – has remained a fundamental right under both the current EU Directive 95/46/EC and the upcoming GDPR, GDPR-compliant consent requires a dynamic, actively managed, transparent process.  The text of the GDPR stresses:

[consent] of the data subject [must be] freely given, specific, informed, and [an] unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

In other words, data subjects must be afforded a meaningful opportunity to consent with knowledge of the precise purpose(s) for which consent is sought.  Any resulting consent must take the form of an explicit, unmistakable action taken by the data subject permitting the processing activities enunciated in the consent request.

Further, the GDPR mandates that comprehensive background information be provided to data subjects.  This information includes how the personal data will be processed, what the personal data will be used for, who the data processor is (defined as the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”), who the data controller is (defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”), and the identities of any other third parties who will have access to the personal data.

Situations in which there is a real or perceived disparity in bargaining power between the data subject(s) and the data controller will prove particularly difficult, as EU data protection authorities have expressed a reluctance to deem consent the product of “free will” when this power dynamic is present. The following types of data subjects fall into this problematic category: employees, mentally ill, children, patients, and the elderly.

In sum, the concept of consent may seem straightforward at first glance, however as a fundamental right in the EU, there are stringent requirements which must be satisfied to ensure GDPR compliance.  As such, consent by default and mass opt-out schemes for multiple data subjects are to be strictly avoided.  Instead, consent requests should be presented in clear, readily understandable language, setting forth the exact purpose(s) for which consent is sought, and special consideration must be given in cases where an imbalance of power between the data controller and the data subject(s) exists.

If you are involved in a litigation or investigation with a European data component, contact us for a litigation support consultation. CDS has a full service data center and support staff based in London and offers the portable Digital Customs eDiscovery appliance where further data privacy is required.

CDS is not a law firm and is not authorized to provide legal advice in any jurisdiction.  These materials are for informational purposes only. They are not intended, and should not be construed, as legal advice on any particular set of facts or circumstances.

Read more about cross-border eDiscovery and the GDPR here:

Preparing for EU GDPR Enforcement

About the Author

Dino E. Medina, Esq.

Dino E. Medina, Esq.

In his role as General Counsel for CDS, Mr. Medina is responsible for the overall legal affairs of the company, including drafting and negotiating a wide variety of commercial contracts, advising executive management on corporate strategic initiatives and employment matters, managing litigations, and directing CDS’ compliance and risk management posture in all areas of the business.

Relativity Fest London 2021

CDS is proud to sponsor Relativity Fest London May 18-19. All-virtual and free to attend, RelativityFest London features educational sessions, the latest product news and networking events.

Find out more »

Webinar: Short Message Data Part 2: We’re Not In Document Land Anymore, Toto!

Chat and collaboration platforms are increasingly displacing email as the main mode of business communication. eDiscovery practitioners need to get up to speed.

Find out more »

Sign Up for Our Newsletter