Obtain user consent when requesting personal data

Consent must be given through a clear affirmative action that reflects a free, specific, informed, and unambiguous manifestation of will by the data subject and must be granted for all processing activities carried out. When processing has multiple purposes, consent must be given for each of them. If it is to be given following an electronic request, it must be clear, concise, and not unnecessarily disrupt the use of the service for which it is provided.

This express consent can be transferred to a web form through the implementation of checkboxes that are unchecked by default. This is vital in order to demonstrate the person's willingness to have their personal data processed.

Pre-checked boxes, silence, and the lack of action by the interested party do not constitute lawful processing of data, so these methods should not be used.

We have discussed specific purposes in the previous section, meaning that when someone provides their data, the conditions for data processing must be clearly, unambiguously, and transparently detailed.

As explicit consent tied to a specific purpose, it must be demonstrated that it has been collected in accordance with these precepts, and the burden of proof falls on the organization that receives and processes this data.

An example of how we can prove authorization is that each registration generates an automatic email response with the data of the requested person, their IP address, acceptance, date, exact time, and the browser they used. This email must be saved as proof in case of conflict with the user.

First layer of basic information

With the requirements and principles introduced by the GDPR regarding the obligation to inform, simply referring to the privacy policy from web forms is no longer sufficient to comply with these obligations.

The European Union's Data Protection Authorities recommend using a layered information model, presenting a first layer with basic data protection information and directing from this, simpler and more immediate, to a second layer with the remaining information.

In the Guide to Fulfilling the Duty to Inform, the AEPD establishes that this first layer of information must meet the following requirements:

The information must be made available to interested parties at the time the data is requested, prior to collection or registration.

This obligation must be met without any requirement, and the responsible party must subsequently be able to prove that the obligation to inform has been fulfilled.

– It must be clearly identified with a title such as “Basic Data Protection Information”.

The controller must ensure that this information remains “within the data subject’s field of vision.”.

- Interested parties must receive a copy that includes this basic information. LOPDGDD, in its article 72, classifies as a VERY SERIOUS INFRINGEMENT the omission of the duty to inform the data subject about the processing of their personal data, as provided for in articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).