As a follow-up to the article “Considerations regarding the consent of the interesvillage“, We offer you a comparative table on the legal regulation of consent.
| Regulation of the European Union 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repeals Directive 95/46 / EC (RGPD) |
Law 39/2015, of 1 October, on common administrative procedure of public administrations |
Law 15/1999, of 13 December, on the protection of personal data (LOPD) |
| "Considering (32): The consent must be given by means of a clear affirmative act that reflects a manifestation of free will, specific, informed, and unequivocal of theeresI agree to the processing of personal data that concerns me, such as a written statement, including by electronic means, or a verbal statement. This could include checking a box on a website on the Internet, choosing technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that theeresado accepts the proposal for the treatment of his personal data. Therefore, silence, already marked boxes or inaction should not constitute consent. Consent must be given for all processing activities carried out with the same or the same purposes. When the treatment has several purposes, consent must be given to all of them. (…)” |
In accordance with article 28.2 and 28.3, authorization to consult or obtain the corresponding data or documents is presumed, unless the express opposition or a special law applicable to the procedure requires express consent. |
Art. 3.h) of the LOPD, the consent of the interesconsent is defined as any manifestation of will, free, unequivocal, specific and informed, by which the interessat consents to the processing of personal data that concerns him. Art. 11.2 of the LOPD states that personal data may be transferred with the prior consent of the interested party.eressat unless a rule with the rank of law authorizes the transfer (art. 11.2.a), it is publicly accessible data (art. 11.2.b), or it is a consented and known legal relationship (art. 11.2.c), among others. |
- From this table it is clear that the LOPD and the European Regulation regulate the consent of the interessat in the same terms. However, the Regulation is more restrictive, as it considers vàlid express consent and does not accept the use of tacit consent. On the contrary, Law 39/2015 does accept tacit consent but requires the inclusion in the administrative procedure of the confirmation of the express opposition of the interested party.eresaffected. It should be added that the three legal regulations are in force, although the European Regulation will not be mandatory for Member States until May 2018.
- There is currently a technical committee that is assessing the involvement of the European Regulation in the Spanish LOPD. The Spanish Data Protection Agency has published some on its website recommendations on the practical implications of the General Data Protection Regulation for entities in the transition period until the mandatory date.
- The AOC, in charge of data processing, in accordance with article 22 of Law 29/2010, of 3 August, on the use of electronic media in the public sector of Catalonia, has to adapt to new legal obligations, including those arising from the European Regulation:
"Recital 42: When the treatment is carried out with the consent of the interesado, the person responsible for the treatment must be able to demonstrate that he has given his consent to the treatment operation. In particular in the context of a written statement made on another matter, there must be guarantees that the interesado is aware of the fact that he gives his consent and of the extent to which he does so. According to Directive 93/13/CEE of the Council (1), a model declaration of consent drawn up previously by the data controller must be provided with an intelligible and easily accessible wording that uses clear and simple language, and that does not contain abusive clauses. For the consent to be informed, the interesado must know at least the identity of the person responsible for the treatment and the purposes of the treatment for which the personal data is intended. The consent should not be considered freely given when the interesado does not enjoy true or free choice or cannot refuse or withdraw his consent without suffering any harm.
Article 5. Principles relating to treatment
1. The personal data will be: (…)
- (f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures ('integrity and confidentiality ”).
2. The data controller shall be responsible for and able to demonstrate compliance with paragraph 1 ("proactive responsibility").
Article 7. Conditions for consent
1. When the treatment is based on the consent of the interesado, the person in charge must be able to demonstrate that he consented to the processing of his personal data.”
