Processing personal information is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal bases for processing personal information, consent is only one of six bases mentioned in the Protection of Personal Information Act (POPIA). The others are: contract, legal obligations, legitimate (vital) interests of the data subject, public interest and legitimate interest.
The basic requirements for the effectiveness of a valid legal consent are defined in Section 11 of POPIA. Consent must be the voluntary (freely given), speciﬁc and informed expression of will. In order to obtain voluntary consent, it must be given freely. The element “free” implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. In doing so, the legal text takes a certain imbalance between the responsible party and the data subject into consideration. For example, in an employer-employee relationship: The employee may worry that his/her refusal to consent may have severe negative consequences on his/her employment relationship, thus consent can only be a lawful basis for processing in a few exceptional circumstances. In addition, a so-called “coupling prohibition” or “prohibition of coupling or tying” applies. Thus, the performance of a contract may not be made dependent upon the consent to process further personal information, which is not needed for the performance of that contract.
For consent to be informed and specific, the data subject must at least be notified about the responsible party’s identity, what kind of information will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent. Where relevant, the responsible party also has to inform about the use of the information for automated decision-making, the possible risks of data transfers due to absence of an adequacy decision or other appropriate safeguards.
The consent must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimise the processing of special categories of personal data, the information for the data subject must expressly refer to this. There must always be a clear distinction between the information needed for the informed consent and information about other contractual matters.