As a follow-up to the article “Considerations on the consent of the interested party“, We offer you a comparative table on the legal regulation of consent.
Regulation of the European Union 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data repeals Directive 95/46 / EC (RGPD) |
Law 39/2015, of 1 October, on common administrative procedure of public administrations |
Law 15/1999, of 13 December, on the protection of personal data (LOPD) |
"Recital (32): Consent must be given by a clear affirmative act which reflects a free, specific, informed and unequivocal expression of the data subject's acceptance of the processing of personal data concerning him or her, such as a written statement, even by electronic means, or a verbal statement. This could include checking a box on a website on the internet, choosing technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposed treatment of their information. personal data. Therefore, silence, check boxes, or inaction should not constitute consent. Consent must be given for all treatment activities performed for the same or the same purposes. When the treatment has several purposes, consent must be given for all of them. (…) ” |
In accordance with article 28.2 and 28.3, authorization to consult or obtain the corresponding data or documents is presumed, unless the express opposition or a special law applicable to the procedure requires express consent. |
Art. 3.h) of the LOPD, the consent of the interested party is defined as any manifestation of will, free, unequivocal, specific and informed, by which the interested party consents to the processing of personal data concerning him. Art. 11.2 of the LOPD it follows that personal data may be transferred with the prior consent of the interested party unless a rule of law authorizes the transfer (art. 11.2.a), are public access data (art. 11.2. b), or it is a question of a consented and known legal relationship (art. 11.2.c), among others. |
- It is clear from this table that the LOPD and the European Regulation govern the consent of the person concerned in the same terms. However, the Regulation is more restrictive, as it considers express consent to be valid and does not accept the use of tacit consent. On the other hand, Law 39/2015 does accept tacit consent but requires the verification of the express opposition of the interested party concerned in the administrative procedure. It should be added that all three legal rules are in force, although the European Regulation will not be mandatory for Member States until May 2018.
- There is currently a technical committee that is assessing the involvement of the European Regulation in the Spanish LOPD. The Spanish Data Protection Agency has published some on its website recommendations on the practical implications of the General Data Protection Regulation for entities in the transition period until the mandatory date.
- The AOC, in charge of data processing, in accordance with article 22 of Law 29/2010, of 3 August, on the use of electronic media in the public sector of Catalonia, has to adapt to new legal obligations, including those arising from the European Regulation:
"Recital 42: When the treatment is carried out with the consent of the data subject, the controller must be able to demonstrate that he has given his consent to the treatment operation. In particular in the context of a written statement on another matter, there must be assurances that the person concerned is aware of the fact that he gives his consent and the extent to which he does so. In accordance with Council Directive 93/13 / EEC (1), a model statement of consent previously prepared by the controller must be provided with an intelligible and easily accessible wording which uses clear and simple language and which does not contain abusive clauses. In order for the consent to be informed, the data subject must know at least the identity of the controller and the purposes of the processing for which the personal data are intended. Consent shall not be considered freely given when the person concerned does not enjoy true or free choice or may not refuse or withdraw his consent without prejudice.
Article 5. Principles relating to treatment
1. The personal data will be: (…)
- (f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures ('integrity and confidentiality ”).
2. The data controller shall be responsible for and able to demonstrate compliance with paragraph 1 ("proactive responsibility").
Article 7. Conditions for consent
1. Where the processing is based on the consent of the data subject, the controller must be able to demonstrate that he has consented to the processing of his personal data. "