The Office for Personal Data Protection


International


Find


Important links

 

Path: Home Page > Main menu > Positions

 

Position No. 2/2008 - Consent to personal data processing

 
 
 

September 2008


Processing of personal data interferes with the privacy of data subjects. Consequently, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “Directive 95/46/EC”), as well as Act No. 101/2000 Coll., on the protection of personal data and on amendment to some acts, as amended (hereinafter the “Personal Data Protection Act”), stipulates a general rule according to which, in principle, personal data processing is possible only with consent of the data subject (subject to certain exemptions, which are stipulated, in the Czech legislation, by Article 5 (2) of the cited Act1)).

For this reason, the concept of consent to personal data processing is one of the most important aspects of the entire area of personal data protection. In Article 2 (h), Directive 95/46/EC provides for the consent as follows: „For the purposes of this Directive, 'the data subject's consent' shall mean any freely given specific and conscious indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.“

In Article 4 (n), the Personal Data Protection Act stipulates that, for the purposes of the Act, consent of data subject means a free and conscious manifestation of will of the data subject the content of which consists in his assent to personal data processing. The requirements are stricter for processing of sensitive data2). Pursuant to Article 9 (a) of the Personal Data Protection Act, sensitive data may be processed only if the data subject provides his express consent to the processing. In addition to the aforementioned conditions, in this case, the consent must be explicit.

In general, the provision of consent is a legal act and, therefore, assessment of its validity must also reflect the provisions governing legal acts in the general legal regulation, in this case Act No. 40/1964 Coll., the Civil Code, as amended3). The Civil Code stipulates the requisites of legal acts in Articles 34 to 42a. In Article 34, it defines the term “legal act" as a manifestation of will aimed particularly at creating, changing or terminating the rights or obligations that are associated by the legal regulations with such a manifestation of will. Article 37 (1) of the Civil Code is of key importance for this Position; according to the cited provision, a legal act must be performed freely and seriously, definitely and comprehensibly – otherwise it is invalid.

The Personal Data Protection Act, being a special legal regulation, takes priority over the Civil Code in respect to application of the civil-law instruments contained in the Code. It defines the requisites of the provision of consent to personal data processing in Article 4 (n) as follows: The consent must be provided freely (freedom is thus set out as a requisite of the consent in both legal regulations) and also conscious.

Consequently, where the Personal Data Protection Act makes validity of the provision of consent conditional on it being free and conscious, account must also be taken, as for any legal act, of other requirements on a legal act stipulated by the Civil Code. Consent to personal data processing is granted validly only if it has the necessary requisites of a will, i.e. is provided freely and seriously, and if this will is properly manifested, i.e. specifically and comprehensibly.

This Position does not aim to provide an exhaustive definition of the general terms set out in the Civil Code; the following is thus only a brief overview of this aspect:

  • freedom of will means the freedom of its creation; will is thus created voluntarily, without any physical or mental coercion. However, consent is not free and voluntary if the data subject is required to accept a clause concerning his consent to processing of his personal data as part of a contract on which the data subject is unable to negotiate4);

  • the existence of serious will can be assumed, in relation to a certain act, on the basis of objective circumstances under which it was performed, i.e. particularly whether it was made in a manner and under circumstances that cast no doubt about the fact that the entity manifesting its will intended to cause the legal effects associated by law with such a manifestation of will. If there are any doubts as to the seriousness of will, it is necessary to examine the specific circumstances of the given case and the given consequences are attributed to the person who caused them by his conduct5). It must also be noted in this context that, according to case-law6), if one of the parties performs a legal act (for example, provides consent to processing of its personal data) with a mental reservation, i.e. an internal decision to the effect that the act is not meant seriously, while this cannot be apparent to the other party (i.e. the one who requests consent to personal data processing), such mental reservation has no legal relevance and the processing of personal data of the given person is fully legitimate;

  • a legal act is specific if its contents are definite and unequivocal. An act is indefinite where the manifestation of will is comprehensible from a linguistic viewpoint, but vagueness of its contents cannot be remedied and overcome by interpretation;

  • a legal act is incomprehensible if, in objective terms (i.e. rather than in view of the specific addressee of the legal act), it cannot be determined as to what the act aims to express, verbally or otherwise, as a result of which the other party cannot become acquainted with the given communication and understand it7).

Absence of any of the above-specified requisites renders the legal act, i.e. the provision of consent, null and void – invalid from the outset. Such a “legal act” has never been validly performed, has never been and is not valid and this defect cannot be remedied, or rather it cannot be remedied in any way other than through a new perfect legal act that complies with all the mentioned essential requisites.

Amendment No. 439/2004 Coll. to the Personal Data Protection Act introduced a new definition of the term “consent" amongst the definitions set out in Article 4 of the Act: “Consent of data subject means a free and conscious manifestation of will of the data subject the content of which consists in his assent to personal data processing.“ In the explanatory memorandum, the legislator states in this respect that the legal regulation of consent needs to conform to Directive 95/46/EC, and thus consent must be a manifestation of the data subject´s will which encompasses free, clear and conscious expression of the conditions under which the personal data processing is to take place8).

The concept of conscious consent of the data subject to processing of his personal data thus constitutes yet another requirement that must be fulfilled by the consent for it to be valid and for the personal data processing to be legitimate (otherwise the consent will be invalid from the outset9)). When giving his consent, the data subject has to be aware, or it must be apparent under the given circumstances that he could have been and should have been aware, of the consequence of his conduct, i.e. the provision of consent to processing of his personal data. The processing is an anticipated and envisaged consequence of consent and the data subject knowingly and specifically agrees with it.

Pursuant to Article 5 (4) of the Personal Data Protection Act, the one who intends to process personal data (controller) must inform the data subject of the purpose of the intended processing (why the personal data will be processed, with what aim), of the personal data that will be processed (the specific categories of data and their scope), of the person processing the data (the controller must be unambiguously identified) and of the period of processing (for what period of time the consent to such specific processing operation is being provided). The data subject can duly assess the processing of personal data only if he has been duly advised to this effect, and only in that case can he decide whether he should agree with it10).

The consent is deemed to be an informed one in this sense only if the mentioned facts are disclosed to the data subject before he provides the consent. Only if the data subject has been informed of these requisites prior to granting the consent is he able to duly agree with the processing of his personal data.

The duty to inform the data subject of intended processing of his personal data also entails the duties of the data controller set out in Article 11 (1) and (2) of the Personal Data Protection Act. Where personal data are collected (in practice, this often occurs directly after the provision of consent to processing), the controller is obliged to inform the data subject of the scope and purpose of processing of the collected personal data and of the person who will carry out the processing unless the data subject is already aware of this information (e.g. if this information was provided by the controller prior to obtaining the consent).

Where personal data are collected, the data subject must also be advised as to whom his personal data may be disclosed, as well as of his rights pursuant to Articles 12 and 21 of the Personal Data Protection Act. Article 12 stipulates the duty of the controller to provide the data subject, on his request, with information on processing of his personal data, on its purpose, on personal data that are the subject of processing, including information on the source of these data, on the nature of any potential automated processing and on the recipients of personal data, i.e. on those to whom the personal data of the data subject have been disclosed. Article 21 then stipulates the right of the data subject to request an explanation from the controller in respect of the processing of his personal data if the data subject has ascertained or believes that the processing is not being pursued in a proper manner, and the right to request that the controller remedy this state of affairs.

The regulation of consent to processing of sensitive data is stricter. In addition to all the requisites of consent as stated above, pursuant to Article 9 (a) of the Personal Data Protection Act, the consent must be explicit. An explicit act is an act performed orally or in writing11) where the data subject confirms, by his words or his signature, that he agrees with processing of his sensitive data.

With respect to processing of personal data other than sensitive, the Personal Data Protection Act does not require explicit consent. The consent may also be provided implicitly, i.e. in a manner other than explicit. For example, after having received the relevant information, the data subject may provide his personal data to the controller, whereby he tacitly, rather than explicitly, agrees with their processing. Indeed, the contents of will may also be determined on the basis of the wider context of conduct, or even subsequent acts, if the contents of will can be retroactively inferred from such acts12).

The Personal Data Protection Act does not stipulate any compulsory form for granting consent to personal data processing, such as written form. Reference should also be made in this respect to the second sentence of Article 5 (4) of the Personal Data Protection Act, which stipulates that, during the entire period of processing, the controller must be capable of proving that the data subject has provided his consent to the processing. Therefore, in the event of any dispute where the data subject would claim that the controller processes his personal data without consent, the onus of proof would be borne by the controller. In this case, the controller would be obliged to prove that the data subject has agreed with the processing and that the consent fulfilled all the above-specified requirements.

Conclusion

Consent to processing of personal data is valid and the processing conforms to the Personal Data Protection Act only if:

  • it fulfils all the above-specified requirements for a legal act; i.e. the act is free, serious, definite and comprehensible;

  • the one who provides the consent has been informed in advance for what purpose, by whom, for what period and what specific personal data will be processed (a general formulation, such as I agree with processing of my personal data pursuant to the Personal Data Protection Act, which is often encountered by the Office in its practice, is thus entirely insufficient);

  • the consent is made explicitly in cases where processing of sensitive data is envisaged;

  • the consent is demonstrable throughout the entire period of processing.


Note:

1) This is true, e.g. of processing based on a statutory authorization, processing that is necessary for the performance of a contract, or for the protection of vital interests of data subjects, etc.

2) Sensitive data are defined in Article 8 (1) of Directive 95/46/EC; the Personal Data Protection Act provides an exhaustive list in Article 4 (b); sensitive data include, e.g., data revealing national, racial or ethnic origin, political opinions, state of health, etc.

3) Cf. Kučerová, A., Bartík, V., Peca, J., Neuwirt, K., Nejedlý, J.: Zákon o ochraně osobních údajů. Komentář. (Personal Data Protection Act. Commentary) 1st edition, Praha, C. H. Beck, 2003.

4) Working document (WP 125) of 26 September 2006 on data protection and privacy implications in eCall initiative of the Article 29 Data Protection Working Party under Directive 95/46/EC.

5) Judgment of the Supreme Court of 27 May 2004, File No. 30 Cdo 1912/2003.

6) E.g., Judgment of the Supreme Court of 12 August 2003, File No. 22 Cdo 290/2003.

7) Judgment of the Supreme Court of 16 January 2007, File No. 26 Cdo 3294/2006.

8) Explanatory Memorandum on the draft Act amending the Personal Data Protection Act, published under No. 439/2004 Coll.

9) ibid

10) Cf. Matoušová, M., Hejlík, L.: Osobní údaje a jejich ochrana (Personal Data and their Protection), 2nd edition., Praha, ASPI, 2008.

11) Madar, Zd. et al..: Slovník českého práva (Vocabulary of Czech Law), Linde, Praha 1995. Volume I.

12) Judgment of the Supreme Court of 31 July 2000, File No. 20 Cdo 1713/1998.

 

Context

Placing: Document folders > Site map > Main menu > Positions > Position No. 2/2008 - Consent to personal data processing

Display up to date documents | document archive | documents including archive

 
 

Mode No graphics is currently switched on. Therefore you see the web page with no decorative graphics as well as any advanced formatting. If your browser supports CSS2, you can switch a graphic mode on.


Copyright © 2013 The Office for Personal Data Protection. All rights reserved.
web & design , editorial system