It is surprising to what extent companies still overuse consent to the processing of personal data. The reason could be the fact that the consent is perceived as a “strongest” legal ground for the processing of personal data, even though all legal grounds for processing are equivalent and their use differs according to the purpose of processing.
Although this practice was repeatedly criticized by Data Protection Authorities that pointed out the equivalence of the grounds for the processing, the consent is still preferred among data controllers.
What makes redundant consent problematic?
Each of the legal grounds for processing has its specifics and use. The most important is that the rights which the data subject may exercise under GDPR depend on the actual legal ground (not the ground chosen by the controller). The data subject may withdraw his or her consent at any time, and moreover, he or she may request the erasure of the personal data. If this happens and the controller needs to store the personal data for other purposes, the controller may face problems for instance with an authority legally requesting the data. Or the controller won’t be able to prove that the data subject has ordered goods or services. If the company does not erase the personal data and keeps to process them in order to avoid problems, it has misled and misinformed the data subject.
What legal ground should the company use?
GDPR laid down six legal grounds for processing. These grounds are equivalent. Before the processing of personal data, the company needs to consider in particular the following questions:
Is there a legal regulation that obliges the processing of data (e.g. the AML Act), or requires the retention of documents eventually with personal data (e.g. the Accounting Act)?
Will the company have to process the personal data even if the data subject withdraws his or her consent and ask for erasure?
Has the customer ordered the services or goods and the company needs his or her credentials to provide the ordered services or goods?
Can the company provide services or deliver goods without the customer’s personal data?
Is it in the legitimate interests of the company or in the interests of other persons to process personal data (e.g to prevent theft, financial fraud, personal injury, etc.)?