CLVPartners

CLV-02
Menu

consent

Online presence in the shadow of GDPR – rules for consent-based data processing

Data protection, News / / , , , ,

Reading time: 5 minutes

In order to remain competitive, it is no longer merely an advantage for companies to have an online presence, but a fundamental requirement. Websites and newsletters facilitate communication with customers, while providing an opportunity for addressees to learn about the latest services and offers firsthand. At the same time, it is important to note that this may also involve the processing of personal data, which is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; „GDPR”). Accordingly, data processing for marketing purposes is only possible with the express consent of the data subjects, in strict compliance with the requirements set out in the GDPR. In this article, we summarize the most important rules relating to consent-based data processing.

When to apply GDPR?

As outlined by the National Authority for Data Protection and Freedom of Information (“NAIH“) in its material on website privacy settings and cookies, processing the personal data of natural persons acting on behalf of the companies (e.g., employees, private person client) falls under the scope of the GDPR. For instance, collecting, recording, storing, and using a customer’s name, phone number, address, email address, or bank account number constitutes data processing. It implies that if a company processes data relating exclusively to legal persons, its activities do not fall within the scope of the General Data Protection Regulation, and therefore compliance with its provisions is not mandatory for it. However, in many cases, the contact details of the legal person (e.g., name, personal email address, position) are essential for communication, which involves data processing.

Similarly, subscribing to a newsletter, targeted requests (also known as asking for a callback), or tools that support the effective functioning of websites—such as the use of cookies or visitor measurement – it is essential for the company to process natural persons’ data, which is why this type of data processing will also fall under the scope of the GDPR.

Consent as a possible legal basis for processing personal data

The fundamental rule of data processing is that, in the absence of a valid legal basis, processing personal data is not considered to be lawful. One of the legal bases for data processing – most commonly required for data processing for marketing purposes – is the consent of the data subject.

Conditions for consent

According to the GDPR, consent is valid if it is freely given, specific, based on adequate information, and unambiguous, indicating that the data subject agrees to the processing of his/her personal data.

Freely given

Consent can be freely given if individuals can refuse and withdraw their consent without risk of external pressure or negative consequences. Therefore, it cannot be considered voluntary if the data subject has no real choice, feels pressured to consent, or faces negative consequences from the data controller if they refuse to consent. This was confirmed by the recent opinion of the European Data Protection Board (“EDPB”), which stated that so-called “pay or consent” models do not meet the requirement of freely given consent. This is due to the fact that such models are based on offering data subjects a choice: either they consent to the processing of their personal data, or they pay a fee to prevent their data from being processed.

The voluntary nature of consent also implies that the data subject has the right to withdraw the consent at any time.

Specific and appropriate information

In order for consent to be valid, the purpose of data processing must also be specific. This condition is closely linked to the condition of informed consent. Therefore, individuals must be informed of the specific purposes in simple and easily understandable language so that they have a clear understanding of the purpose for which their data is being processed. This also means that if the purposes of the data processing operation change or further data processing operations are being added, consent must be obtained from individuals again. Likewise, if a data processing operation has multiple purposes, separate consent must be obtained for each purpose for the processing to be lawful. When providing information, the data subject must also be made aware that they may withdraw their consent at any time.

Unambiguous consent

According to the GDPR, a statement by the data subject or a clear affirmative action is required for the consent to be unambiguous. This in fact means that consent can only be given through active action or statement. The EDPB considers that the comprehensive acceptance of general terms and conditions does not constitute an act of confirmation that is unambiguously expressed. The GDPR also expressly prohibits data controllers from offering pre-ticked boxes or opt-out mechanisms that require the data subject to take action to prevent consent from being given (so called opt out systems).

Duration and demonstration of the contribution

The General Data Protection Regulation does not provide for any limitation on the duration of consent. However, this does not mean that personal data can be processed indefinitely with the consent of the data subject. The duration of consent depends in each case on the context of the data processing in question. In order to determine the duration correctly, it is therefore necessary to assess the circumstances of the data processing.

Furthermore, the GDPR stipulates that during data processing, the data controller must always be able to adequately demonstrate the existence of the consent.

Without claiming to be exhaustive, we merely refer to the fact that the General Data Protection Regulation lays down additional conditions in relation to the consent of children and special categories of data.

Summary

The online presence of companies—for example, through websites and newsletters—is essential to maintaining competitiveness, but it can also involve the processing of personal data, which falls under the scope of the GDPR. Personal data may only be processed on an appropriate legal basis, the existence of which is essential in all cases. When developing and enhancing their marketing strategies, it is crucial for companies to simultaneously establish and review their data processing frameworks to ensure that their data processing activities comply with the GDPR.

Photo source: pexels.com, Tara Winstead

Online presence in the shadow of GDPR – rules for consent-based data processing Read More »

Data Subject Rights and the Importance of Consent in Online Content Creation

Data protection, News / / , , , , , , ,

Reading time: 4 minutes

With the development of digital platforms, anyone can become a content creator today: a smartphone, a good idea, and a few clicks are enough for our messages, videos, or pictures to reach thousands of people. However, online presence carries not only creative opportunities but also legal responsibilities and risk. When sharing various types of content – such as posts or videos – especially if identifiable persons appear in them, the processing of personal data occur.

General applicability of the GDPR

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, serves a dual purpose: it ensures the protection of individuals’ personal data while also providing a framework for the free flow of such data within the European Union. The GDPR sets out in detail the rights of data subjects and the obligations of data controllers.

At the same time, the GDPR does not be applicable in certain exceptional cases; one such exception applies when a natural person processes personal data exclusively for personal purposes. Examples include private correspondence whether on paper or electronically, storage of addresses or contact details, personal notes or diaries, family photographs, communication on social networks, and other online activities. These exceptions must be interpreted narrowly, and data processing only falls outside the scope of the GDPR if it serves a purely private purpose – that is, it has no community, professional, or economic aspect. Thus, if data can be accessed by an indefinite number of persons or is made public, the activity no longer qualifies as private data processing. In the case of data processing carried out by business entities, personal or household use cannot be invoked. Therefore, the publication of any online content containing personal data (such as photographs, audio recordings, or other information) – whether it concerns employees or any other natural person – requires appropriate legal diligence in all cases.

Data processing related to online content creation

Digital platforms widely enable users to create and share photos, videos, or audio recordings – even of other people. The question may arise whether data protection rules apply in such cases. Since uploaded recordings – including images, voices, or other identifiable information – constitute personal data and are made accessible to the public, their processing falls under the GDPR.

One of the fundamental principles of data protection is that any processing of personal data must be based on a valid legal basis. When a data controller undertakes any activity involving the processing of personal data, it must carefully assess which legal basis best suits the intended purpose. In the context of content creation, data processing most commonly relies on the data subject’s consent.

Obtaining consent is crucial, as recording or publishing someone else’s image or voice is only lawful if the data subject has given explicit, informed, and prior consent. Simply tolerating the presence of a camera or answering a question does not constitute valid consent. This demonstrates how strictly the GDPR defines the requirement of a lawful basis: unlike the Hungarian Civil Code (“Civil Code”), which allows certain exceptions for public figures or mass recordings, the GDPR does not provide such derogations. This highlights the coexistence of parallel legal frameworks – compliance with the Civil Code does not necessarily mean compliance with data protection law, thus each legal regime has distinct requirements for lawful conduct.

Consequences of Non-Compliance

Publishing content online without a valid legal basis – such as consent – constitutes a violation of data protection rules. Unlawful data processing can have serious consequences, including regulatory procedures and administrative fines. If a recording is made or published without permission and results in significant harm to an individual’s interests, the act may not only be unlawful under data protection law but could also amount to a criminal offence or establish a claim for non-pecuniary damages under the Civil Code, depending on the circumstances. Liability always lies with the person who created or published the recording.

Particularly high-risk situations include cases involving children, healthcare settings, political opinions, or other sensitive personal data. If such content is shared without the data subject’s knowledge or consent, it does not qualify as private activity and is considered full-fledged data processing under the GDPR. In such cases, data subjects have the right to request information, withdraw consent, demand deletion of recordings, and pursue legal remedies.

Summary

Presence in the online space – particularly in the context of corporate communications, marketing, or HR content creation – requires careful data protection practices. What may not entail legal consequences under the Civil Code can still constitute a data protection violation.

Consent is therefore not a mere formality, but one of the fundamental prerequisites for lawful data processing. Organizations – whether content creators or employers – are advised to establish internal procedures, training programs, or policies to manage the data protection risks associated with online content creation.

Respecting data subject rights, properly documenting consents, and complying with GDPR requirements are not only matters of legal compliance, but also essential for maintaining corporate reputation and trust.

Photo source: pexels.com, Plann

Data Subject Rights and the Importance of Consent in Online Content Creation Read More »

CLVPartners
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.