Consent (data protection law)

A consent is a prerequisite for the collection, processing and use of personal data .

In data protection law , the general principle is a prohibition with reservation of permission : the collection, processing and use of personal data are prohibited in accordance with Section 4 of the Federal Data Protection Act (BDSG), unless a legal norm expressly allows or orders this or the person concerned gives his / her consent.

Consent is part of the privacy policy . In the Federal Data Protection Act, the consent is implemented in Section 4a . Similar regulations are included in the state data protection laws.

Requirements for consent

Section 4a I BDSG regulates the requirements for lawful consent:

Consent must be given personally by the person concerned
Consent must be given before the data is collected, processed or used ( ex nunc )
Consent must always writing done
Consent must voluntarily done
- consent is not given in a predicament or under pressure
- a refusal of consent is possible without fear of sanctions
- a revocation of the consent of a previously given consent has no consequences
The intended purpose of the collection, processing or use must be indicated
The consequences of the refusal must be pointed out, as far as the circumstances of the individual case require or upon request
The consent must be specially emphasized if it is to be given in writing together with other declarations
If it is to apply to the processing of special types of personal data (e.g. health data, racial or ethnic origin, etc., see Section 3 (9) BDSG), it must explicitly refer to this.

Special types of personal data

If it concerns special types of personal data according to § 3 Abs. 9 BDSG (including health data and information about ethnic origin), consent according to § 4a III BDSG must explicitly refer to this data.

Exceptions

According to § 4a I BDSG, a written form is not required if another form is appropriate due to special circumstances.

Furthermore, according to § 4a II BDSG, there are exceptions regarding the written form, especially for science . If the purpose of the research would be significantly impaired by a written form, another form may be sufficient. The reference to the purpose and the consequences of a refusal, as well as the reasons from which the significant impairment of the specific research purpose results, must be recorded in writing in this case.

According to Section 28 Paragraph 3a and 3b BDSG, consent to the processing or use of personal data for advertising purposes and address trading can also be given electronically.

Problems of voluntariness

In the employment relationship

The actual voluntary nature of consent in the employment relationship is viewed by the data protection officers of the federal and state governments as questionable. This is justified with the different power structures existing between the contracting parties.

In the case of monopoly positions

If the responsible body that wants to obtain consent has a monopoly position , the voluntariness is questionable, since a predicament can prevail. In this case, there may be a ban on tying.

In the recent past, data protection consent in connection with information society services has repeatedly been criticized as fiction.

Reform through General Data Protection Regulation

The General Data Protection Regulation, which will apply in all member states of the European Union from May 25, 2018, regulates the conditions for consent in Article 7.

According to Art. 4 No. 11 GDPR, consent is defined as any voluntary, informed and unambiguous declaration of will in the form of a declaration or other clearly confirming act with which the person concerned indicates that she gives her consent to the processing of the personal data concerning her. In practice, for example, so-called consent banners are common .

Anyone who invokes consent must be able to prove it. The consent can be revoked at any time. Special conditions apply to a child's consent (Article 8).

Web links

Design information for the data protection declaration of consent in forms. (PDF) Bavarian State Office for Data Protection Supervision, accessed on September 20, 2015 .

Individual evidence

↑ ^a ^b ^c consent. (No longer available online.) The Federal Commissioner for Data Protection and Freedom of Information, archived from the original on September 24, 2015 ; accessed on September 20, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ resolution. (PDF) Do not reduce employee data protection, but strengthen it! (No longer available online.) Conference of the Federal and State Data Protection Officers, January 25, 2013, formerly in the original ; accessed on September 20, 2015 . ( Page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2
↑ Buchner, Benedikt; Kühling, Jürgen: Conditions for consent . In: Kühling, Jürgen; Buchner, Benedikt (Ed.): GDPR Comment . 2nd Edition. CHBeck Verlag, Munich 2018, p. 284 ff .
↑ Yoan Hermstrüwer: Informational Self- Endangerment . On the legal functional, game-theoretical and empirical rationality of data protection consent and the right to informational self-determination. Mohr Siebeck, Tübingen 2016, p. 4 .

↑ Kamp, Meike; Rost, Martin: criticism of the consent. An interjection to a fictitious legal basis in asymmetrical power relations. In: Data protection and data security (DuD) . No. 2/2013 . Springer, 2013, p. 80-83 .

↑ Rothmann, Robert; Buchner, Benedikt: The typical Facebook user between law and reality - At the same time, a comment on LG Berlin v. January 16, 2018 . In: Data protection and data security (DuD), law and security in information processing and communication . Vol. 42, No. 6 . Springer Gabler Verlag, Wiesbaden June 2018, p. 342-346 , doi : 10.1007 / s11623-018-0953-x .

[bfdi-1] consent. (No longer available online.) The Federal Commissioner for Data Protection and Freedom of Information, archived from the original on September 24, 2015 ; accessed on September 20, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[2] resolution. (PDF) Do not reduce employee data protection, but strengthen it! (No longer available online.) Conference of the Federal and State Data Protection Officers, January 25, 2013, formerly in the original ; accessed on September 20, 2015 . ( Page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2

[3] Buchner, Benedikt; Kühling, Jürgen: Conditions for consent . In: Kühling, Jürgen; Buchner, Benedikt (Ed.): GDPR Comment . 2nd Edition. CHBeck Verlag, Munich 2018, p. 284 ff .

[4] Yoan Hermstrüwer: Informational Self- Endangerment . On the legal functional, game-theoretical and empirical rationality of data protection consent and the right to informational self-determination. Mohr Siebeck, Tübingen 2016, p. 4 .

[5] Kamp, Meike; Rost, Martin: criticism of the consent. An interjection to a fictitious legal basis in asymmetrical power relations. In: Data protection and data security (DuD) . No. 2/2013 . Springer, 2013, p. 80-83 .

[6] Rothmann, Robert; Buchner, Benedikt: The typical Facebook user between law and reality - At the same time, a comment on LG Berlin v. January 16, 2018 . In: Data protection and data security (DuD), law and security in information processing and communication . Vol. 42, No. 6 . Springer Gabler Verlag, Wiesbaden June 2018, p. 342-346 , doi : 10.1007 / s11623-018-0953-x .