Samtycke enligt den allmänna dataskyddsförordningen - Personuppgiftsansvarigas ansvar och registrerade personers rätt till öppenhet och självbestämmande

Sammanfattning: The General Data Protection Regulation (GDPR) replaces the Data Protection Directive (Directive) in 2018. The European Commission has stated that the Directive no longer provides the protection of personal integrity that individuals are entitled to. The GDPR will harmonize the rules and its purpose is to give individuals a greater control over their data and ensure the free movement of personal data within the European Union. In Sweden, there is a proposal for a new national data protection law to complement the GDPR and replace the current Personal Data Act. This essay will investigate if and if so, to what extent, the definition and principles of consent has changed through the GDPR in comparison to the Directive and the Personal Data Act. It will also investigate how the GDPR may affect individuals' control of their personal data as well as the liability of the controller. The current legislation has no precedent ruling hence information about the reasoning behind the GDPR has been collected from the recitals of the GDPR as well as statements by working groups that the Commission has appointed. Furthermore, rulings under the Directive have been used if applicable in relation to the GDPR. Commentary on the Personal Data Act has been used for an understanding on how this has been applied in Sweden. Articles written about the GDPR and the new rules have been used to highlight problems and/or issues highlighted by those knowledgeable on the subject. The material scope of the GDPR will not change to any great extent compared to the Personal Data Act. However, as the Personal Data Act disappears any automated processing of personal data will now fall within the scope of the GDPR, which has not been the case in the Personal Data Act. The Territorial scope will expand, mainly in relation to controllers or processors established outside the EU that directs their services to individuals within the Union. The GDPR will also clarify the conditions for valid processing and consent. For example, it will require a higher level of transparency and put further demands on controllers with regards to processing and consent. The conditions for valid consent will largely be the same in the GDPR as in the Personal Data Act and in the Directive, but the condition on informing the data subject will be strengthened. Long complicated legal texts will no longer be a valid way of informing the subject about the processing. Instead this information will need to be separated or otherwise clearly distinguished if it forms part of an agreement. The GDPR also clarifies what information the personal data controller has to provide, such as the individual's right to withdraw consent and what the data specifically will be used for. In order to be valid, consent will also need to be given through a clear affirmative action. One of the biggest changes in the GDPR are the rules regarding the ability for children to give valid consent in relation to the offer of Information Society Services. While an assessment of the child's maturity and understanding has been used to decide if a child can give legal consent in both the Personal Data Act and in the Directive, an age limit is now introduced through the GDPR. Its purpose is to strengthen children's rights. The GDPR sets this age limit at 16 years. When a child is below the age of 16, valid consent must instead be given by the holder of parental responsibility. The change has been criticized since it will not be harmonizing, it is unclear how safe verifications of age can be gathered, how extensive the parental responsibility will be and how this may affect children's right to privacy in relation to their parents. In Sweden, the proposal is to reduce the age limit to 13 years and this has received similar criticisms during consultations about the proposal. As the consent of "common" personal data will change and become stricter, this means that explicit consent, which is required to process sensitive data, use profiling or for transferring information to third countries, will also have to become stricter even though the requirement is the same as in the Personal Data Protection Act and the Directive. Although the lawfulness of consent doesn’t change much through the GDPR, the consent needs to be interpreted in relation to the purpose of the GDPR in order to strengthen the personal integrity. The condition to make information clearer, more accessible and easily communicated will likely have the impact for several controllers that they need to review how they provide their information. This can directly affect situations where information and consent are given orally, which is common in a store situation when an individual wants to become a member of their customer club. How controllers gather consent and the individual's right to be able to choose to consent to only one out of several specific purposes of processing data, along the exemption that has exempted most automatic processing from the Personal Data Act will require controllers to value and reevaluate the data they process. Furthermore, it remains to be seen what age limit will be implemented in different Member States and how children will be protected. Controllers will only need to take reasonable steps to ensure that valid consent is obtained and children will most likely find new ways to leave valid consent on their own. In relation to the Swedish law proposal, it also must be questioned whether children from the age of 13 years are mature enough to understand the meaning of consent. To ensure their right to be protected the age probably should be raised to at least 15 years. The GDPR will lead to increased demands and increased responsibility for controllers. In regard of the high sanction fees if controllers do not comply with the requirements of the GDPR, it is most likely that personal data administrators will ensure that all necessary measures are taken to avoid legal sanctions. The GDPR will, inter alia through the information requirement, also provide data subjects with increased opportunities to control how their personal data is handled. However, it will be up to the data subjects to access the information given to them for the consent to have its full effect.