In the previous opinion[1], we discussed some aspects of applying the General Data Protection Regulation (EU) 2016/679[2] (hereinafter, GDPR) concerning the protection of natural persons with regard to the processing of personal data for persons with disabilities, focusing on the importance of informing individuals about the processing of their personal data. This opinion aims to detail the conditions under which consent should be used as a legal basis for processing such data and how it can effectively be obtained from individuals with intellectual disabilities.
The GDPR defines strict conditions under which consent can be used as a legal basis for processing individuals’ personal data and why it is important for personal data operators to understand these conditions and apply them effectively.
Consent is intended to give individuals a choice regarding how their personal data is processed, as well as a real way to control this processing. Offering genuine consent puts the person in control, builds trust, and engages them in the process.
Regarding vulnerable persons, the GDPR sets an additional level of protection in processing personal data, especially children’s[3]. The regulation does not provide a detailed analysis of vulnerability; however, European legislation must consider and address persons with disabilities[4]. Often, persons with disabilities, particularly those with intellectual disabilities, are unaware of the dangers they expose themselves to when using the internet or when unequivocally accepting ‘Terms and Conditions’ of various websites. Such dangers most commonly include online bullying attacks[5], where the person with disabilities is subjected to harassment and/or insults due to their vulnerability (for example, when seeking help for deinstitutionalization or reporting abuse on different forums).
A study conducted by Inclusion Europe[6] showed that most persons with disabilities do not understand the consequences of exposing their personal data online. This situation also applies to support persons[7] who do not understand or do not have enough information about what the processing of personal data actually entails and the potential consequences when subscribing to various services offered online. Another disadvantage is the lack of accessibility of this information, which is not presented in an easily understandable format.
In these situations, it is crucial that the focus is on requesting informed consent, and the information provided should not only be transparent from the moment the processing means are established[8], offering individuals with intellectual disabilities a real, conscious choice over the processing of their personal data. Persons with intellectual disabilities should receive this information for free and in accessible formats. Providing an ‘explicit consent,’ which many of us do when accessing various websites or signing forms regarding the processing of our personal data by various operators (and in most cases without taking a careful look at all those pages..), requires the person whose information is being processed to provide a clear and specific statement of their consent. This is even more important for a person with intellectual disabilities.
Following unannounced monitoring visits, we realized that authorities, either due to lack of proper training or ignorance, abuse the obtaining of consent from persons with intellectual disabilities – even more unnatural when the person is not ‘allowed by law’ to exercise their civil rights themselves.
Public authorities should not rely on consent as a legal basis for processing personal data except when strictly necessary. Social service providers, both public and private, should not collect written consent (or in any other form) before beginning to provide services to persons with intellectual disabilities. It should be clearly highlighted that there are other legal bases through which service providers can ensure compliance with GDPR obligations.
Nonetheless, all authorities acting in the disability sector, especially residential care homes, should adopt a policy on personal data processing and develop a statement on this data processing that highlights the legality of the processing, through the existence of a task serving a public interest[9] or a legal obligation[10] incumbent upon the operator.
Social service providers in the disability sector should ensure the confidentiality of these services, for example:
- Avoiding sharing details about the nature or content of services provided to persons with disabilities with anyone outside, except where (a) it has been previously agreed upon, or (b) there is an imminent danger to the provider or the person with disabilities, or (c) there is an express provision in the law;
- If the person with disabilities has been referred to these services by a third party (for example, through a court order), additional information about the content of the services provided should not reach these third parties;
- Processing data from special categories[11] (referring here especially to the processing of personal data concerning the health of the person with disabilities) must be done in full accordance with GDPR provisions, considering the strict conditions imposed by law when it is strictly necessary and instituting additional, appropriate, enhanced safeguards;
- No one outside those providing the services should have access to these data or the beneficiary’s file, except in cases expressly provided by law;
- Measures should be taken to protect the security of any information collected about these persons, stored in written or electronic format – such measures should be implemented, especially in light of an incident that occurred on February 11, 2024[12], which could be repeated at any time and could target the systems of DGASPCs, ANPDPD, or psychiatric hospitals, which could have fatal consequences for persons with disabilities whose data might end up online, making them even more vulnerable to abuse or discrimination;
- This data must be kept in a form that allows the identification of persons with disabilities for a period that does not exceed the period necessary for fulfilling the processing purposes[13], and after this period any document must be destroyed;
- Ensuring an effective way through which persons with disabilities could transparently exercise their rights conferred by the regulation.
Regarding the consent given by a support person, legal guardian, or tutor on behalf of a person with disabilities, GDPR does not provide practical ways to collect the consent of these individuals or ways to establish that a person is indeed entitled to do so. In such situations, operators processing personal data should conduct a proportionality test, in accordance with Article 8(2) and Article 5(1)(c) – minimizing the data collected. A proportional approach could focus on collecting a limited amount of information, such as the contact details of the support person[14].
GDPR has set a high standard for consent. Giving your consent requires an ‘opt-in’, so the use of pre-ticked boxes and other forms that already have the consent section filled out (i.e., implied consent) will not be sufficient. Additionally, vaguely expressed or general consent is not enough. Data processing based on consent must specify who the operator is, what data are collected, the types of processing, and the purposes for which they will be processed. Furthermore, consent should be obtained using clear, simple, easy-to-understand language. Operators must keep evidence related to the expression of consent, with all that it entails – who, when, how, and what was told to persons with disabilities or to those who have expressed consent on behalf of a person with disabilities.
Consent should be used as an appropriate legal basis for processing personal data only if the operator can provide individuals with a real choice and effective control over how their personal data are used. If the operator cannot do this, then consent should not be used as a legal basis for data processing. If the operator would still process personal data without consent, the request becomes deceptive and unfair to vulnerable individuals – ultimately, this is against the law and can be penalized with administrative fines. All the more, public authorities should not rely on the use of consent as a legal basis, except in cases where they can demonstrate that it was freely given.
The law must strike a balance between preserving people’s fundamental right to privacy and collecting personal data, which is necessary in most cases for persons with disabilities who must have access to essential social benefits for fulfilling their individualized recovery and rehabilitation plan.
Author: Oana Dodu
[1] Available here: www.crj.ro/regulamentul-gdpr-si-persoanele-cu-dizabilitati-inca-o-aplicare-iluzorie-a-legilor-europene-in-romania/
[2] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[3] Here referring to all individuals under 18 years old, according to the definition provided by the UN Convention on the Rights of the Child
[4] In 2010, the European Union acceded to the Convention on the Rights of Persons with Disabilities (CRPD)
[5] We propose, in this context, an article addressing cyberbullying: https://jurnal-social.ro/cyberbullying-ul-problema-secolului-21/
[6] The study, conducted within the SafeSurfing program, available here: www.inclusion-europe.eu/safesurfing-training-people-with-intellectual-disabilities-on-safe-online-behaviour/
[7] In this context, we use support persons also for individuals who benefit from legal counsel or special guardianship
[8] According to Article 25 of the GDPR Regulation
[9] Regulation (EU) 2016/679 GDPR Article 6 (1)(e)
[10] Regulation (EU) 2016/679 GDPR Article 6 (1)(c)
[11] According to Article 9 of the Regulation
[12] When over 100 hospitals in Romania were affected by a cyber-attack, an interesting analysis of this case is available here: https://romania.europalibera.org/a/spitale-afectate-de-atac-cibernetic-invatamintele-atacului/32819533.html
[13] According to the principle of storage limitation, Article 5 (1)(e) of the Regulation
[14] For more details, by analogy, the Guidelines 5/2020 on consent under Regulation 2016/679 issued by the EDPB, page 28
