After reviewing the conclusions of the work group about article 29, the summary is that there are 2 types of consent, normal and explicit for data that require special protection.

For the normal, click-wrap, or in general any “motor” action (“statement or clear affirmative action”) that is interpreted with an acceptance (eg Swiping on a screen, waving in front of a smart camera, turning to smartphone around clockwise, etc.) will be acceptable.

For explicit, a more specific action is required, such as signing an acceptance document, but it is also allowed to send an email, send the scanned signed document or the electronic signature (this underlines the benefits of Advanced Electronic Signatures, as used by eIDAS eSignatures)

“In Article 7(1), the GDPR clearly outlines the explicit obligation of the controller to demonstrate a data subject’s consent. The burden of proof will be on the controller, according to Article 7(1). Recital 42 states: “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

Controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing.

This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but they shouldn’t be collecting any more information than necessary. It is up to the controller to prove that valid consent was obtained from the data subject. The GDPR does not prescribe exactly how this must be done. However, the controller must be able to prove that a data subject in a given case has consented. As long as a data processing activity in question lasts, the obligation to demonstrate consent exists. After the processing activity ends, proof of consent should be kept no longer then strictly necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims, in accordance with Article 17(3b) and (3e).

For instance, the controller may keep a record of consent statements received, so he can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time shall be demonstrable. The controller shall also be able to show that the data subject was informed and the controller´s workflow met all relevant criteria for a valid consent. The rationale behind this obligation in the GDPR is that controllers must be accountable with regard to obtaining valid consent from data subjects and the consent mechanisms they have put in place.

There is no specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context, the scope of the original consent and the expectations of the data subject. If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained.

We at Validated ID offer a full set of options to enable signing GDPR consent that range from the handwritten biometric signature for face to face scenarios, to eID and remote solutions that will gather all evidences need to be safe, and avoid GDPR compliance sanctions.

For in person scenarios, we have found that the biometric signature is the best means to capture the consent. Today, hundreds of hospitals are using this option to enable them to capture the evidence as part of their workflow and maintain a digital evidence of this consent.

For remote signing scenarios, encourage all to move toward eIDAS signatures that will enable to have proof of intent, integrity of the document and Identity of the signer in all different levels.

All in all, it is important to remember that all types of signatures are not the same and although “soft” systems are available, in case of litigation you have to show that the person accepted by this means, which I consider complicated when you don’t have the clear proof of the consent.

Validated ID Team