How to Demonstrate Compliance With GDPR Article 7

Conditions for Consent

Book a demo

top,view,business,people,work,from,home,using,laptop,on

GDPR Article 7 deals with the ‘conditions for consent’ that need to be met, in order for it to be established that an organisation has gained the requisite authorisation prior to processing an individual’s data.

GDPR Article 7 Legal Text

EU GDPR Version

Conditions for Consent

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

UK GDPR Version

Conditions for Consent

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Technical Commentary

Consent is dealt with throughout GDPR Article 7 across 3 key areas:

  1. An organisation’s legal obligation to provide proof of consent, in the form of a written declaration that is separate from any other communication.
  2. A data subject’s right to withdraw consent at any time, and an organisation’s obligation to inform them of this fact.
  3. Various factors that assess whether or not consent has been freely given by the data subject.

ISO 27701 Clause 7.2.4 (Obtain and Record Consent) and EU GDPR Article 7 (1) and 7 (2)

Organisations need to gather consent in way that makes it easy for PII subjects to request information on how it was obtained (timestamps, who requested it etc.) (see ISO 27701 Clause 7.3.3).

Consent relies on three underlying legal stipulations: it needs to be freely provided, relating to the reason for processing and clear in its intent.

ISO 27701 Clause 7.2.4 (Providing Mechanism to Modify or Withdraw Consent) and EU GDPR Article 7 (3)

Organisations need to provide a mechanism that outlines the rights of any PII principal who wishes to withdraw consent, along with instructions on how to do so that are in alignment with the methods used to collect PII (e.g. email, telephone).

PII principals should also be able to ‘modify’ consent – i.e. restricting the controller from performing certain actions, such as deleting PII. Such requests should be documented in accordance with procedures for the removal of consent.

Organisations should commit to a published response time for all modification or withdrawal of consent requests.

ISO 27701 Clause 7.2.4 (Marketing and Advertising Use) and EU GDPR Article 7 (4)

Organisations need to obtain permission from the PII principle before utilising any data provided for marketing or advertising purposes, and ensure that acceptance of such a use is not a prerequisite to PII being processed.

Marketing and advertising stipulations should be clearly documented in any contracts or service agreements, in line with the above purpose.

Organisations should seek ‘express consent’ that is based upon a transparent and up-to-date representation of how PII is to be used.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Article 7 (1) and 7 (2)ISO 27701 7.2.4None
EU GDPR Article 7 (3)ISO 27701 7.3.4None
EU GDPR Article 7 (4)ISO 27701 8.2.3None

How ISMS.online Help

The ISMS.online platform includes built-in guidance at each step, combined with our ‘Adopt, Adapt, Add’ implementation approach, so demonstrating your GDPR compliance is significantly easier. You will also benefit from a range of powerful time-saving features.

Using our intuitive platform, you can map your work across multiple standards and frameworks so that you can achieve multiple information security and privacy goals in a minimum amount of time.

If at any point in your journey toward GDPR, for whatever reason, you feel a lack of confidence, ability or drive to take action, we can make our team of in-house experts available to you or recommend one of our trusted partners to assist you in achieving your goals.

Find out more by booking a short demo.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.