By now, the General Data Protection Regulation (GDPR) has become familiar to anyone handling legal matters related to privacy and data protection. The GDPR imposes obligations on organizations—regardless of their geographical location—that target or collect data on European Union citizens. However, someone unfamiliar with the regulation may find it difficult to grasp—the document contains 99 articles and 173 recitals!
As mentioned, the GDPR consists of two components: the articles and recitals. The articles constitute the legal requirements organizations must follow to demonstrate compliance. The recitals provide additional information and supporting context to supplement the articles.
The European Data Protection Board—formerly Article 29 Working Party—relies on the recitals to interpret the articles. Furthermore, the Court of Justice of the European Union reviews the recitals to decide the meaning and application of the GDPR.
Through the recitals, organizations learn when and how to comply with the GDPR. For instance, the recitals answer questions such as “When should my company report a breach?” and “When is it necessary to report a loss of data?”
For example, Recital 32 supplements Article 4(11) and provides a detailed discussion of the definition “consent.”
Article 4(11) states “‘[c]onsent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Recital 32 provides examples of clear affirmative consent: ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Furthermore, Recital 32 lists examples that do not constitute consent: silence, pre-ticked boxes, or inactivity should not therefore constitute consent.
Recital 42 provides additional context for Article 7. Article 7(2) reads:
If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
Recital 42 reads:
Consent must be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Lawyers, consultants, and others who maintain a GDPR compliance program must review both the articles and recitals in assessing an organization’s compliance. For those interested, the United Kingdom Information Commissioner’s Office (ICO) provides a document that contains the articles and associated recitals together—rather than in separate sections.
Leonard Wills is a presidential management fellow in Washington D.C.