We aim to analyze the distinctions between "consent/agreement" required for contract conclusion and performance between a data subject and a data controller (a concept that we have further discussed here), and "consent" as the legal basis for processing. This analysis will be presented in a manner that minimizes technical jargon and includes practical examples. Despite appearing similar in legal terms, these concepts possess nuanced differences, which we seek to elucidate.
However, when we discuss two of the legal bases of data processing, namely CONTRACT and CONSENT, the same concept - "consent" - takes on different meanings that, if not well understood, may cause problems while identifying the legal basis of the processing: (i) art. 6 para. 1 lit. (a) of GDPR, namely, CONSENT or (ii) art. 6 para. 1 lit. b), namely the performance of a CONTRACT.
The Romanian dictionary DEX defines the notion of "consent" as "an agreement of the persons entering into a contract."[1]
Also, from the perspective of the Civil Code, the notion of consent is synonymous with "agreement” or “will", as arising from the following legal provisions:
No one can be subjected to any interference in his/her intimate, personal or family life, nor in his/her domicile, residence or correspondence, without his/her consent[2].
It is forbidden to bring prejudice to a person's honour and reputation without his/her consent (...)[3].
Marriage is concluded between a man and a woman through their personal and free consent[4].
From the contractual point of view, consent represents, according to the Civil Code, along with capacity, object and cause, one of the four essential elements for the validity of the contract entered into between two or more persons.
Therefore, for the conclusion of a contract, the consent of the parties is always needed.
Is this consent necessary for the conclusion of a contract the same as the consent provided by the GDPR as the legal basis for processing?
In other words, whenever the data subject gives their consent for the processing of their personal data, do they enter into a contract with the data controller?
How will we know if a data subject has given consent to enter a contract or has given consent without it leading to the conclusion of a contract?
From GDPR perspective, consent is a legal basis of processing different from the performance of the contract.
According to art. 6 of the GDPR, the processing is legal only if and to the extent that at least one of the following conditions applies[5]:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
For someone with legal training, making the distinction is straightforward. However, for data controllers, discerning between consent as the legal basis for processing and consent as a requisite for contract conclusion presents practical challenges.
The correct identification of the legal basis of processing, between the two proposed for our analysis, is extremely important at least for the following considerations that both the data controller and the data subject should be aware of:
if the processing takes place based on the data subject's consent, this means that the data subject can withdraw it at any time, without the data subject being harmed/damaged in any way as a result of the withdrawal, without any consequences being drawn to her.
Example: The data subject submitted a registration for a marathon, providing the organizers with their name, age and contact details and, before starting the marathon, they no longer wish to participate, withdrawing consent. Based on the data subjects’ request, the organizer will exclude them from the list of participants without any negative consequences for the data subject, except for the inherent one, i.e. the loss of the chance to run in that marathon and possibly win a prize.
On the contrary, when the legal basis for the processing is represented by the "necessity of performing a contract" to which the data subject is a party, the withdrawal of the consent might represent, in fact, a manifestation of the right to terminate that contract, which, if terminated, may have some negative consequences, in accordance with the nature and the provisions of the contract, even potential sanctions for the data subject.
Example: A data subject has signed a contract with a travel agency by which they accepted the price of the services, the payment dates and a penalty of x % to the contract value if the price will not be paid in due course. In this case, the exercise of the right to oppose to the processing of the personal data the data subject might exercise, will be considered a request for termination of such contract which will lead, once terminated, to the payment of the agreed penalty due to the failure of paying the agreed price.
The two legal bases can coexist, but the data controller must correctly identify each purpose of the processing and the legal basis related to each of the purposes.
The data controller has the obligation to ensure that the provision of the consent for a specific purpose of the processing which is based on such consent is not obtained through the same action by which consent is given for the conclusion of a contract. Thus, having independent legal grounds, the termination of processing based on one legal basis will not automatically cause the end of the processing based on the other legal basis.
Example: The most relevant example in this regard is the one from the online environment, in the following situation, very often encountered. The user of a shopping website is requested, through separate "boxes", to tick, on the one hand, that he agrees with the "Terms and Conditions" of the website (T&C), and on the other hand, that they wish to receive marketing communications. By ticking the first box, the user expresses their consent to enter into the contract for the sale of the products (it is the consent necessary for the valid conclusion of the contract, in the form of T&C, the processing of personal data having as a legal basis here, the need for the performance of the contract), while by ticking the second box, the user expresses their consent to receive communications (here, the legal basis for processing is consent). While the user can opt-out of marketing communications at any time without any consequence, they can opt out of the T&C only subject to the T&C and legal provisions regarding, for example, the right of withdrawal from distance contracts concluded with consumers. While the user can opt-out for marketing communications at any time without any consequence, withdrawal from the T&C might have some consequences for the user, depending on the T&C provisions and in consideration of the legislation for consumer protection in force regarding the withdrawal from the contracts concluded at distance with the consumers.
The withdrawal of consent (for marketing communications, in the example above), will not lead to the obligation of the data controller to delete the data that is processed for the purpose of performing the contract.
Consequently, data controllers should clearly know the purpose of the processing of each category of data and the legal basis of such processing in order to be able to respond to any requests of data subjects.
Tip to make distinguishing between the two much simpler!
When the processing of personal data obliges neither the data subject and, in most cases, nor the data controller, to comply with certain terms, conditions or other obligations (except for those related to personal data protection) and, therefore, there is no consequence on the data subject if he they withdraw consent, most likely that processing is based on consent, as the legal basis of the processing.
On the contrary, when the processing of personal data gives rise to obligations on the data subject and, in most cases, also on the data controller and whose non-compliance may have some consequences for the data subject, that processing most likely has as legal basis of the processing the necessity of contract performance.
Example:
The data controller wants to promote its business and it organizes a series of invitation based events, without any cost for the participants (e.g.: no attendance fee). The data controller will not be able to send invitations by email to potential participants if it does not have their prior consent to receiving such invitations. Although potential participants agreed, in the first place, to receiving such invitations, they can withdraw their consent at any time, which means that they can opt out of receiving such invitations at any time, without any harmful consequences on them, except for not being able to attend such events. On the other hand, if a person is invited to those events as speaker, in exchange for a remuneration, their personal data will be processed by the organizer based on the necessity of performing the contract concluded between them. Therefore, if the speaker will require the deletion of their personal data, depending on the terms of the contract concluded with the data controller, that will probably lead to the termination of the contract, with some liability of the data subject for the damages caused to the data controller and their personal data will most likely continue to be processed by the data controller on other legal grounds (e.g.: legal obligation or legitimate interest).
[2] Romanian Civil Code, art. 71 para. (2)
[3] Ibid, art. 72 para. (2)
[4] Ibid, art. 271
[5] Art. 6 provides for additional legal grounds of processing but, for the purpose of this article, we have mentioned only the indicated ones.