Navegaci贸n
RGPD > Art铆culo聽7. Condiciones para el consentimiento
Descargar PDF

Art铆culo聽7 RGPD. Condiciones para el consentimiento

Article 7 GDPR. Conditions for consent

1. Cuando el tratamiento se base en el consentimiento del interesado, el responsable deber谩 ser capaz de demostrar que aquel consinti贸 el tratamiento de sus datos personales.

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Textos enlazados

2. Si el consentimiento del interesado se da en el contexto de una declaraci贸n escrita que tambi茅n se refiera a otros asuntos, la solicitud de consentimiento se presentar谩 de tal forma que se distinga claramente de los dem谩s asuntos, de forma inteligible y de f谩cil acceso y utilizando un lenguaje claro y sencillo. No ser谩 vinculante ninguna parte de la declaraci贸n que constituya infracci贸n del presente Reglamento.

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

Considerandos

(42) Cuando el tratamiento se lleva a cabo con el consentimiento del interesado, el responsable del tratamiento debe ser capaz de demostrar que aquel ha dado su consentimiento a la operaci贸n de tratamiento. En particular en el contexto de una declaraci贸n por escrito efectuada sobre otro asunto, debe haber garant铆as de que el interesado es consciente del hecho de que da su consentimiento y de la medida en que lo hace. De acuerdo con la Directiva 93/13/CEE del Consejo [10], debe proporcionarse un modelo de declaraci贸n de consentimiento elaborado previamente por el responsable del tratamiento con una formulaci贸n inteligible y de f谩cil acceso que emplee un lenguaje claro y sencillo, y que no contenga cl谩usulas abusivas. Para que el consentimiento sea informado, el interesado debe conocer como m铆nimo la identidad del responsable del tratamiento y los fines del tratamiento a los cuales est谩n destinados los datos personales. El consentimiento no debe considerarse libremente prestado cuando el interesado no goza de verdadera o libre elecci贸n o no puede denegar o retirar su consentimiento sin sufrir perjuicio alguno.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive聽93/13/EEC聽[10]聽a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

[10] Directiva 93/13/CEE del Consejo, de 5 de abril de 1993, sobre las cl谩usulas abusivas en los contratos celebrados con consumidores (DO L 95 de 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

Textos enlazados

3. El interesado tendr谩 derecho a retirar su consentimiento en cualquier momento. La retirada del consentimiento no afectar谩 a la licitud del tratamiento basada en el consentimiento previo a su retirada. Antes de dar su consentimiento, el interesado ser谩 informado de ello. Ser谩 tan f谩cil retirar el consentimiento como darlo.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 7(3) GDPR:

7.3.4 Providing mechanism to modify or withdraw consent

Control

The organization should provide a mechanism for PII principals to modify or withdraw their consent.

Implementation guidance

The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.


para acceder al texto completo

Textos enlazados

4. Al evaluar si el consentimiento se ha dado libremente, se tendr谩 en cuenta en la mayor medida posible el hecho de si, entre otras cosas, la ejecuci贸n de un contrato, incluida la prestaci贸n de un servicio, se supedita al consentimiento al tratamiento de datos personales que no son necesarios para la ejecuci贸n de dicho contrato.

4. When assessing whether consent is freely given, utmost account shall be taken of whether,聽inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 7(4) GDPR:

8.2.3 Marketing and advertising use

Control

The organization should not use PII processed under a contract for the purposes of marketing and advertising without establishing that prior consent was obtained from the appropriate PII principal.


para acceder al texto completo

Considerandos

(43) Para garantizar que el consentimiento se haya dado libremente, este no debe constituir un fundamento jur铆dico v谩lido para el tratamiento de datos de car谩cter personal en un caso concreto en el que exista un desequilibro claro entre el interesado y el responsable del tratamiento, en particular cuando dicho responsable sea una autoridad p煤blica y sea por lo tanto improbable que el consentimiento se haya dado libremente en todas las circunstancias de dicha situaci贸n particular. Se presume que el consentimiento no se ha dado libremente cuando no permita autorizar por separado las distintas operaciones de tratamiento de datos personales pese a ser adecuado en el caso concreto, o cuando el cumplimiento de un contrato, incluida la prestaci贸n de un servicio, sea dependiente del consentimiento, a煤n cuando este no sea necesario para dicho cumplimiento.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(32) El consentimiento debe darse mediante un acto afirmativo claro que refleje una manifestaci贸n de voluntad libre, espec铆fica, informada, e inequ铆voca del interesado de aceptar el tratamiento de datos de car谩cter personal que le conciernen, como una declaraci贸n por escrito, inclusive por medios electr贸nicos, o una declaraci贸n verbal. Esto podr铆a incluir marcar una casilla de un sitio web en internet, escoger par谩metros t茅cnicos para la utilizaci贸n de servicios de la sociedad de la informaci贸n, o cualquier otra declaraci贸n o conducta que indique claramente en este contexto que el interesado acepta la propuesta de tratamiento de sus datos personales. Por tanto, el silencio, las casillas ya marcadas o la inacci贸n no deben constituir consentimiento. El consentimiento debe darse para todas las actividades de tratamiento realizadas con el mismo o los mismos fines. Cuando el tratamiento tenga varios fines, debe darse el consentimiento para todos ellos. Si el consentimiento del interesado se ha de dar a ra铆z de una solicitud por medios electr贸nicos, la solicitud ha de ser clara, concisa y no perturbar innecesariamente el uso del servicio para el que se presta.

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Textos enlazados
Comentario de expertos ISO 27701 Considerandos Ley de Directrices y caso Deja un comentario
Comentario de expertos

(EN) A controller relying on consent as a legal basis to collect, store or use data should respect the basic principles stated in article 4 (11), which provides a legal definition of the notion, and always make sure that it meets the additional conditions listed in article 7. A person must supply a 鈥freely given鈥 consent, distinct from other related matters, and s/he should be offered a 鈥genuine choice鈥 between accepting or refusing to provide it without having to suffer any negative consequences (Guidelines on Consent聽and recital 42). It is also essential to offer a person full control over her/his consent, including the possibility to withdraw it at any time, and to keep adequate records of consents.


para acceder al texto completo

Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Withdrawal of consent to process my personal data

Dear Madam, Dear Sir,

You are currently processing my personal data based on my consent鈥


para acceder al texto completo

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert
ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to articles 7(1) and 7(2) GDPR:

7.2.4 Obtain and record consent

Control

The organization should obtain and record consent from PII principals according to the documented processes.

Implementation guidance

The organization should obtain and record consent from PII principals in such a way that it can provide on request details of the consent provided (for example the time that consent was provided, the identification of the PII principal, and the consent statement).


para acceder al texto completo

Considerandos

(32) El consentimiento debe darse mediante un acto afirmativo claro que refleje una manifestaci贸n de voluntad libre, espec铆fica, informada, e inequ铆voca del interesado de aceptar el tratamiento de datos de car谩cter personal que le conciernen, como una declaraci贸n por escrito, inclusive por medios electr贸nicos, o una declaraci贸n verbal. Esto podr铆a incluir marcar una casilla de un sitio web en internet, escoger par谩metros t茅cnicos para la utilizaci贸n de servicios de la sociedad de la informaci贸n, o cualquier otra declaraci贸n o conducta que indique claramente en este contexto que el interesado acepta la propuesta de tratamiento de sus datos personales. Por tanto, el silencio, las casillas ya marcadas o la inacci贸n no deben constituir consentimiento. El consentimiento debe darse para todas las actividades de tratamiento realizadas con el mismo o los mismos fines. Cuando el tratamiento tenga varios fines, debe darse el consentimiento para todos ellos. Si el consentimiento del interesado se ha de dar a ra铆z de una solicitud por medios electr贸nicos, la solicitud ha de ser clara, concisa y no perturbar innecesariamente el uso del servicio para el que se presta.

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(33) Con frecuencia no es posible determinar totalmente la finalidad del tratamiento de los datos personales con fines de investigaci贸n cient铆fica en el momento de su recogida. Por consiguiente, debe permitirse a los interesados dar su consentimiento para determinados 谩mbitos de investigaci贸n cient铆fica que respeten las normas 茅ticas reconocidas para la investigaci贸n cient铆fica. Los interesados deben tener la oportunidad de dar su consentimiento solamente para determinadas 谩reas de investigaci贸n o partes de proyectos de investigaci贸n, en la medida en que lo permita la finalidad perseguida.

(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(42) Cuando el tratamiento se lleva a cabo con el consentimiento del interesado, el responsable del tratamiento debe ser capaz de demostrar que aquel ha dado su consentimiento a la operaci贸n de tratamiento. En particular en el contexto de una declaraci贸n por escrito efectuada sobre otro asunto, debe haber garant铆as de que el interesado es consciente del hecho de que da su consentimiento y de la medida en que lo hace. De acuerdo con la Directiva 93/13/CEE del Consejo [10], debe proporcionarse un modelo de declaraci贸n de consentimiento elaborado previamente por el responsable del tratamiento con una formulaci贸n inteligible y de f谩cil acceso que emplee un lenguaje claro y sencillo, y que no contenga cl谩usulas abusivas. Para que el consentimiento sea informado, el interesado debe conocer como m铆nimo la identidad del responsable del tratamiento y los fines del tratamiento a los cuales est谩n destinados los datos personales. El consentimiento no debe considerarse libremente prestado cuando el interesado no goza de verdadera o libre elecci贸n o no puede denegar o retirar su consentimiento sin sufrir perjuicio alguno.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive聽93/13/EEC聽[10]聽a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

[10] Directiva 93/13/CEE del Consejo, de 5 de abril de 1993, sobre las cl谩usulas abusivas en los contratos celebrados con consumidores (DO L 95 de 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

[10] Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:1993:095:TOC

(43) Para garantizar que el consentimiento se haya dado libremente, este no debe constituir un fundamento jur铆dico v谩lido para el tratamiento de datos de car谩cter personal en un caso concreto en el que exista un desequilibro claro entre el interesado y el responsable del tratamiento, en particular cuando dicho responsable sea una autoridad p煤blica y sea por lo tanto improbable que el consentimiento se haya dado libremente en todas las circunstancias de dicha situaci贸n particular. Se presume que el consentimiento no se ha dado libremente cuando no permita autorizar por separado las distintas operaciones de tratamiento de datos personales pese a ser adecuado en el caso concreto, o cuando el cumplimiento de un contrato, incluida la prestaci贸n de un servicio, sea dependiente del consentimiento, a煤n cuando este no sea necesario para dicho cumplimiento.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Ley de Directrices y caso Deja un comentario
[js-disqus]