Legal Brain

We aim to analyze the distinctions between "consent/agreement" required for contract conclusion and performance between a data subject and a data controller (a concept that we have further discussed here), and "consent" as the legal basis for processing. This analysis will be presented in a manner that minimizes technical jargon and includes practical examples. Despite appearing similar in legal terms, these concepts possess nuanced differences, which we seek to elucidate.

However, when we discuss two of the legal bases of data processing, namely CONTRACT and CONSENT, the same concept - "consent" - takes on different meanings that, if not well understood, may cause problems while identifying the legal basis of the processing: (i) art. 6 para. 1 lit. (a) of GDPR, namely, CONSENT or (ii) art. 6 para. 1 lit. b), namely the performance of a CONTRACT.

The Romanian dictionary DEX defines the notion of "consent" as "an agreement of the persons entering into a contract."[1]

Also, from the perspective of the Civil Code, the notion of consent is synonymous with "agreement” or “will", as arising from the following legal provisions:

• No one can be subjected to any interference in his/her intimate, personal or family life, nor in his/her domicile, residence or correspondence, without his/her consent[2].

• It is forbidden to bring prejudice to a person's honour and reputation without his/her consent (...)[3].

• Marriage is concluded between a man and a woman through their personal and free consent[4].
  

From the contractual point of view, consent represents, according to the Civil Code, along with capacity, object and cause, one of the four essential elements for the validity of the contract entered into between two or more persons.

Therefore, for the conclusion of a contract, the consent of the parties is always needed.

Is this consent necessary for the conclusion of a contract the same as the consent provided by the GDPR as the legal basis for processing?

In other words, whenever the data subject gives their consent for the processing of their personal data, do they enter into a contract with the data controller?

How will we know if a data subject has given consent to enter a contract or has given consent without it leading to the conclusion of a contract?

From GDPR perspective, consent is a legal basis of processing different from the performance of the contract.

According to art. 6 of the GDPR, the processing is legal only if and to the extent that at least one of the following conditions applies[5]:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

For someone with legal training, making the distinction is straightforward. However, for data controllers, discerning between consent as the legal basis for processing and consent as a requisite for contract conclusion presents practical challenges.

The correct identification of the legal basis of processing, between the two proposed for our analysis, is extremely important at least for the following considerations that both the data controller and the data subject should be aware of:

if the processing takes place based on the data subject's consent, this means that the data subject can withdraw it at any time, without the data subject being harmed/damaged in any way as a result of the withdrawal, without any consequences being drawn to her.

Example: The data subject submitted a registration for a marathon, providing the organizers with their name, age and contact details and, before starting the marathon, they no longer wish to participate, withdrawing consent. Based on the data subjects’ request, the organizer will exclude them from the list of participants without any negative consequences for the data subject, except for the inherent one, i.e. the loss of the chance to run in that marathon and possibly win a prize.

On the contrary, when the legal basis for the processing is represented by the "necessity of performing a contract" to which the data subject is a party, the withdrawal of the consent might represent, in fact, a manifestation of the right to terminate that contract, which, if terminated, may have some negative consequences, in accordance with the nature and the provisions of the contract, even potential sanctions for the data subject.

Example: A data subject has signed a contract with a travel agency by which they accepted the price of the services, the payment dates and a penalty of x % to the contract value if the price will not be paid in due course. In this case, the exercise of the right to oppose to the processing of the personal data the data subject might exercise, will be considered a request for termination of such contract which will lead, once terminated, to the payment of the agreed penalty due to the failure of paying the agreed price.

The two legal bases can coexist, but the data controller must correctly identify each purpose of the processing and the legal basis related to each of the purposes.

The data controller has the obligation to ensure that the provision of the consent for a specific purpose of the processing which is based on such consent is not obtained through the same action by which consent is given for the conclusion of a contract. Thus, having independent legal grounds, the termination of processing based on one legal basis will not automatically cause the end of the processing based on the other legal basis.

Example: The most relevant example in this regard is the one from the online environment, in the following situation, very often encountered. The user of a shopping website is requested, through separate "boxes", to tick, on the one hand, that he agrees with the "Terms and Conditions" of the website (T&C), and on the other hand, that they wish to receive marketing communications. By ticking the first box, the user expresses their consent to enter into the contract for the sale of the products (it is the consent necessary for the valid conclusion of the contract, in the form of T&C, the processing of personal data having as a legal basis here, the need for the performance of the contract), while by ticking the second box, the user expresses their consent to receive communications (here, the legal basis for processing is consent). While the user can opt-out of marketing communications at any time without any consequence, they can opt out of the T&C only subject to the T&C and legal provisions regarding, for example, the right of withdrawal from distance contracts concluded with consumers. While the user can opt-out for marketing communications at any time without any consequence, withdrawal from the T&C might have some consequences for the user, depending on the T&C provisions and in consideration of the legislation for consumer protection in force regarding the withdrawal from the contracts concluded at distance with the consumers.

The withdrawal of consent (for marketing communications, in the example above), will not lead to the obligation of the data controller to delete the data that is processed for the purpose of performing the contract.

Consequently, data controllers should clearly know the purpose of the processing of each category of data and the legal basis of such processing in order to be able to respond to any requests of data subjects.

Tip to make distinguishing between the two much simpler!

When the processing of personal data obliges neither the data subject and, in most cases, nor the data controller, to comply with certain terms, conditions or other obligations (except for those related to personal data protection) and, therefore, there is no consequence on the data subject if he they withdraw consent, most likely that processing is based on consent, as the legal basis of the processing.

On the contrary, when the processing of personal data gives rise to obligations on the data subject and, in most cases, also on the data controller and whose non-compliance may have some consequences for the data subject, that processing most likely has as legal basis of the processing the necessity of contract performance.

Example:

The data controller wants to promote its business and it organizes a series of invitation based events, without any cost for the participants (e.g.: no attendance fee). The data controller will not be able to send invitations by email to potential participants if it does not have their prior consent to receiving such invitations. Although potential participants agreed, in the first place, to receiving such invitations, they can withdraw their consent at any time, which means that they can opt out of receiving such invitations at any time, without any harmful consequences on them, except for not being able to attend such events. On the other hand, if a person is invited to those events as speaker, in exchange for a remuneration, their personal data will be processed by the organizer based on the necessity of performing the contract concluded between them. Therefore, if the speaker will require the deletion of their personal data, depending on the terms of the contract concluded with the data controller, that will probably lead to the termination of the contract, with some liability of the data subject for the damages caused to the data controller and their personal data will most likely continue to be processed by the data controller on other legal grounds (e.g.: legal obligation or legitimate interest).

[1]  https://dexonline.ro/definitie/consim%C8%9B%C4%83m%C3%A2nt

[2] Romanian Civil Code, art. 71 para. (2)

[3] Ibid, art. 72 para. (2)

[4] Ibid, art. 271

[5] Art. 6 provides for additional legal grounds of processing but, for the purpose of this article, we have mentioned only the indicated ones.

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act or DSA) is a piece of legislation recently adopted at EU level as part of a package of legislation aimed at standardising the rules for digital service providers operating in the single market. Its main objective is to prevent illegal and harmful online activities and the spread of misinformation. The DSA focuses on protecting consumers and ensuring a safe digital environment and imposes obligations on operators according to their role in providing intermediary services in the European internal market.

The scope of the DSA includes: (i) intermediary service providers; (ii) hosting providers; (iii) online platforms; and (iv) very large online platforms (VLOPs) and very large online search engines (VLOSEs). Those platforms and online search engines that fall into the "very large" category have already been specifically named by the European Commission. To the latter, the DSA already applies from end of 2023. As regards the other service providers, the DSA will take effect from 17 February 2024.

Leaving aside the situation of VLOP and VLOSE (on which the DSA imposes the most onerous obligations), other intermediary service providers are imposed obligations according to their role in the market. Below we have selected some general issues to consider, with the caveat that each situation must be treated separately and, in a manner, tailored to the activity carried out by the provider in question.

Conditioned exemption of liability

As per the DSA, the service provider shall not be liable for the information stored at the request of a recipient of the service, on one of the following conditions: [1] (a) the provider does not have actual knowledge of illegal activity or illegal content and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or illegal content is apparent; or (b) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the illegal content.

The condition mentioned under (a) above shall not apply where the recipient of the service is acting under the authority or the control of the provider and also with respect to the liability under consumer protection law of online platforms that allow consumers to conclude distance contracts with traders, where such an online platform presents the specific item of information or otherwise enables the specific transaction at issue in a way that would lead an average consumer to believe that the information, or the product or service that is the object of the transaction, is provided either by the online platform itself or by a recipient of the service who is acting under its authority or control.

It should be noted that the DSA does not impose any general obligation to monitor the information which providers of intermediary services transmit or store, nor actively to seek facts or circumstances indicating illegal activity shall be imposed on those providers. [2]

The DSA provides for the following obligations applicable to intermediary service providers upon receipt of an order from a public authority:

• To act against illegal content/activity; [3]

• To provide the authority with relevant information about the illegal content/activity; [4]

• To inform the authority of how the order has been acted upon, stating whether and when the order has been acted upon; [5]

• To inform the recipient of the service concerned of the order received and how the order was acted upon. This information provided to the addressee of the service will include a statement of reasons, possible remedies, and a description of the territorial scope of the order. [6]

Due diligence obligations applicable to providers of intermediary services

The following specific due diligence obligations apply to intermediary service providers:

• To designate a single point of contact that allows them to communicate directly, by electronic means, with the authorities set out in the DSA; [7]

• To designate a single point of contact allowing the recipient of the service to communicate directly and rapidly with the provider, by electronic means, but also allowing the recipients of the service to choose means of communication which do not rely exclusively on automated tools; [8]

• To include in the general conditions of use information on any restrictions they impose on the use of their service in relation to information provided by recipients of the service. Such information will include information on the policies, procedures, measures and tools used for the purpose of content moderation, including algorithmic decision making and human verification, as well as on the rules of procedure of the internal complaints handling system; [9]

• To make available to the public, in a machine-readable format and in an easily accessible manner, at least once a year, clear and understandable reports on any content moderation they have carried out during the relevant period. [10]

To be noted that some of the obligations laid down for intermediary service providers do not apply to SMEs that are not very large online platforms.[11]

Application of the DSA in Romania

In Romania, the competent authority for digital services is the National Authority for Management and Regulation in Communications of Romania (ANCOM). The draft law on the establishment of measures for the implementation of DSA is currently in the legislative process in the Romanian Parliament, with an expected adoption date of 22 March 2024, according to information available on the website of the Chamber of Deputies at the time of this article. How the DSA will be applied in Romania remains to be seen, starting with the new text of the law, and continuing with the decisions to be adopted by ANCOM.

[1] Art. 6 DSA

[2] Art. 8 DSA.

[3] Art. 9 (1) DSA

[4] Art. 10 DSA

[5] Art. 9(1) DSA

[6] Art. 9 (5) DSA

[7] Art. 11 DSA

[8] Art. 12 DSA

[9] Art. 14 DSA

[10] Art. 15 DSA

[11] Art. 15(2) DSA.

“The purpose of this Directive is to enhance the enforcement of Union law and policies in specific areas by laying down common minimum standards providing for a high level of protection of persons reporting breaches of Union law.” This is Article 1 of the EU Directive 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law (also referred to as the “Whistleblower Directive” or herein the “Directive”). The Directive lays out several measures which legal entities in the private and public sector need to implement and observe in order to attain the purpose outlined in the cited Article 1.

As per Union law, EU Member States were under an obligation to transpose the Directive in national legislation, with the observance of two deadlines, namely 17 December 2021 and 17 December 2023. The last deadline concerned legal entities in the private sector with 50 to 249 workers, in relation to which Member States were required to bring into force the laws, regulations and administrative provisions necessary to comply with the obligation to establish internal reporting channels.

In Romania, the transposition of the provisions of the Whistleblower Directive due until 17 December 2021 has been carried out through amendments brought to several normative acts,[1] while the provisions due on 17 December 2023 have been transposed by Law No 361/2022 on the protection of whistleblowers in the public interest (“Law 361”).

Below is a non-exhaustive, selective overview of the national particularities included in Law 361 transposing the Directive.

[1] Including the Civil Code, the Labour Code, the Civil Procedure Code, the Criminal Procedure Code, as well as other laws containing provisions relevant to citizen rights and justice.[

[2] Article 6 para. 2) of the Directive.

[3] Article 2 para. 3) of Law 361.

[4] Article 11 para. 1) letter b) of Law 361.

[5] Article 8 para. 7 of the Directive.

[6] Article 5 para. 3) of Law 361.

[7] Article 11 para. 1) of the Directive.

[8] Article 18 para. 1) of the Directive.

[9] Article 7 para. 2) of Law 361.

[10] Article 19 of the Directive.

[11] Article 22 para. 1) of Law 361.

[12] Article 23 of the Directive.

[13] Article 28 para. 2 letter a) of Law 361.

[14] Ibid letter b).

[15] Ibid letter c).

[16] The duty of confidentiality is included in Article 16 of the Directive.

[17] Article 28 para. 2 letter d) of Law 361.

[18] Ibid letter e).