GDPR當事人同意之實務採行建議

Practical Advice on the Data Subject Consent of GDPR

Google基於當事人同意基礎下蒐集資料當事人之資料並進行後續處理，但由於其所取得之當事人同意欠缺歐盟個人資料保護規章（GDPR）中規定之明確不含糊、具體、知情等要件，認為將使當事人無法確實掌握其資料被使用之狀況，而被法國資料保護主管機關（CNIL）開罰5,000萬歐元的罰款。當事人同意為GDPR中規範處理當事人資料之六項合法基礎之一。由於資料控制者可以藉由資料蒐集時取得當事人同意，並基於此一合法基礎對資料進行最彈性化的處理與使用。因此，為降低當事人資料遭濫用之情事發生，GDPR第6條針對當事人同意取得規定了「自由給予」、「具體」、「知情」、「不含糊」、「可被撤回」等幾項要件必須被滿足，並規定符合這些要件下所獲得之同意才視為有效同意。倘若取得之同意欠缺前述要件，將有可能面對GDPR高額罰款。

The CNIL, the French data protection regulator, fines Google €50 million under the GDPR. Under the GDPR, the data controllers are required to gain the data subject’s “consent” before collecting their information. However, Google failed to provide enough information to users about its data consent policies and did not give them enough control over how their information is used. The version of obtaining consent was neither “informed” nor “unambiguous” and “specific”. Consent is one of the six conditions for the lawfulness of processing personal data as stipulated in Article 6 of the GDPR. And, it allows you to do just about anything with the data, provided you clearly explain what you are going to do and obtain explicit permission from the data subject. Under the GDPR, consent of the data subject regarding personal data means any freely given, specific, informed, unambiguous and can be withdraw. To obtain valid consent from the data subject will avoid huge GDPR fines.