The processing of personal data, what about it ?
According to privacy law the General Regulation on Personal Data (AVG) , personal data is any information about identified or identifiable natural persons. In short, a broad concept. According to the same law, in order to process personal data, you need a legal basis. This basis gives you the right to process personal data. The AVG has six bases:
- Consent;
- The performance of an agreement;
- Legal obligation;
- Vital interest;
- Public interest;
- Justifiable interest.
Consent is one of six bases on which you can base the processing of personal data. As an organization, it is always important that you can demonstrate that you are using a valid basis for your processing. You must also demonstrate why you are using the basis in question.
An (expensive) lesson from practice
We regularly see that consent is misunderstood and misapplied. Recently, the Personal Data Authority fined a company for wrongfully placing tracking cookies. These cookies were used to collect, among other things, sensitive data about health, without valid consent.
Although at first glance the cookie banner seemed fine, according to the privacy watchdog it did not meet the requirements set out in the AVG. Cookies were placed without consent, options were pre-ticked and refusal was not possible. A fine can cause reputational as well as financial damage.
Careless use of consent can lead to invalid processing of personal data, loss of user trust and, in the worst case, hefty fines. Moreover, consent comes with all sorts of additional requirements that mean it is not always the shortest route to data.
Why consent is often preferred
Consent is often seen as a simple option. For example, a form can be provided with a checkbox or an "agree" button. However, without careful consideration, this can pose legal risks, especially when another legal basis may be more appropriate under the AVG.
What we often see:
- Consent is applied in various business processes, while "legitimate interest" or "agreement" may be easier to use as a legal basis.
- Consent options are not always clearly visible.
- The process for withdrawing consent is often not fully developed.
- The purpose for which consent is given is sometimes unclear.
- Consent and general terms and conditions are frequently combined.
Increased scrutiny of cookie banners
Since 2024, the AP has been actively monitoring cookie banners. Websites are automatically scanned and addressed in case of deficiencies. In case of insufficient improvement, a further investigation follows from which a fine decision may be issued.
Many organizations already had to adjust their banners, among other things because:
- The "accept" button was clearly visible, while the option to decline was less easy to find;
- Pre-selected check boxes were present;
- Tracking was activated before permission was granted.
Thus, the days of "a standard banner is sufficient" really seem to be over now. Legal reasoning and user-friendliness must go hand in hand.
More conscious choice of bases
Consent is only one of the six bases offered by the AVG. And it often turns out not to be the best one. Other options, such as performance of a contract, legal obligation or legitimate interest, are often more stable and less prone to error - if carefully substantiated.
Three practical tips:
- Use consent only where necessary - And not out of habit.
- Record your considerations - Especially with legitimate interest, this is essential, and easier than often thought.
- Have your cookie banner tested - Does my banner meet the requirements of the law and those of the AP? Is the choice the data subject makes really free?
In conclusion
Consent is only valuable if it is well regulated and often not even necessary-the AVG offers six bases, of which consent is the most complex. If you do consciously choose consent, make sure it is set up properly.
_____
Data Expo
Want to know how to deal more strategically with foundations, and how to do use consent? Then be sure to come to our session at Data Expo 2025.
_____
