Language of document : ECLI:EU:C:2020:158

Provisional text

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 4 March 2020(1)

Case C61/19

Orange România SA

v

Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

(Request for a preliminary ruling from the Tribunalul Bucureşti (Regional Court, Bucharest, Romania))

(Preliminary reference — Directive 95/46/EC — Regulation (EU) 2016/679 — Protection of individuals with regard to the processing of personal data and the free movement of such data — Mobile telecommunication services — Concept of consent of the data subject — Indication of specific and informed wishes — Declaration of consent by means of a tick box — Burden of proof)






1.        The present request for a preliminary ruling from the Tribunalul Bucureşti (Regional Court, Bucharest, Romania) stems from a dispute between a provider of telecommunication services and a national data protection authority as to the obligations of the former in the context of contractual negotiations with a customer when it comes to copying and storing the copy of an ID card.

2.        It will provide the Court with the opportunity to further clarify the concept of ‘consent’ of a data subject, a central feature of EU data protection law, which is ultimately rooted in the fundamental right to data protection. In this connection, the Court should also address the question of the burden of proof as to whether or not the data subject has given consent.

 Legal framework

 EU law

 Directive 95/46/EC

3.        Pursuant to Article 2(h) of Directive 95/46/EC, (2) for the purposes of that directive, ‘“the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

4.        Chapter II of that directive deals with general rules on the lawfulness of the processing of personal data.

5.        Article 6 of the same directive, on ‘principles relating to data quality’, (3) is worded as follows:

‘1.      Member States shall provide that personal data must be:

(a)      processed fairly and lawfully;

(b)      collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c)      adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

2.      It shall be for the controller to ensure that paragraph 1 is complied with.’

6.        Article 7 of Directive 95/46 deals with ‘criteria for making data processing legitimate’. (4) According to that provision:

‘Member States shall provide that personal data may be processed only if:

(a)      the data subject has unambiguously given his consent; or

(b)      processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; ...

...’

 Regulation (EU) 2016/679

7.        Pursuant to Article 4(11) of Regulation (EU) 2016/679, (5) for the purpose of that regulation, ‘“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.

8.        Article 6(1)(a) and (b) of that regulation is worded as follows:

‘Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b)      processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

9.        Article 7(1) of the same regulation states that ‘where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’.

 Romanian law

10.      The legea nr. 677/2001 pentru protecția persoanelor cu privire la prelucrarea datelor cu caracter personal și libera circulație a acestor date (Law No 677/2001 on the protection of persons with regard to the processing of personal data and on the free movement of such data; ‘Law No 677/2001’) (6) sets out to transpose the provisions of Directive 95/46 into national law.

11.      Article 32 of that law reads as follows:

‘The processing of personal data by a controller, or by a person mandated by him, in breach of the provisions of Articles 4 to 10 or without due regard to the rights provided for in Articles 12 to 15 or Article 17, shall constitute an administrative offence unless it is carried out in such circumstances as to constitute a criminal offence, and shall be penalised by a fine of between 10 000 000 old lei [1 000 Romanian lei (RON)] and 250 000 000 old lei [RON 25 000].’

 Facts, procedure and questions referred

12.      Orange România SA is a provider of mobile telecommunication services on the Romanian market, offering services both under the ‘PrePay’ system (7) and pursuant to the conclusion of a service contract. (8)

13.      On 28 March 2018, the Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (National Authority for the Supervision of the Processing of Personal Data, Romania; ‘the ANSPDCP’), on the basis of Article 32 of Law No 677/2001, read in conjunction with Article 8 of that law, issued a report which included the imposition of an administrative penalty on Orange România on the ground that copies of the identity documents of its customers had been taken and kept without their express consent.

14.      In this respect, the ANSPDCP noted that Orange România had concluded paper-based contracts for the provision of mobile telecommunication services with individual customers at business premises and that copies of their identity documents were annexed to those contracts. The content of those contracts included, inter alia, a statement of the fact that the customer had been informed of and had consented to the collection and storage (by Orange România) of those copies and that the existence of the customers’ consent had been established by the insertion of crosses in boxes in the written documentation evidencing the contract.

15.      The relevant passage of the contracts in question reads as follows:

‘A statement by the customer that:

(i)      he has been informed, prior to concluding the contract, of the chosen tariff plan, the applicable tariffs, the minimum duration of the contract, the conditions for terminating [the contract] and the terms for obtaining and using the services, including the area covered by the services, in accordance with Article 11 of ANCOM [the National Authority for Management and Regulation in Communications] Decision No 158/2015 and with O.U.G. v [No] 34/2014 (Legislative Decree No 34/2104), and of his right unilaterally to terminate the contract, which may be exercised pursuant to Article 1.17 of the General Terms and Conditions;

(ii)      Orange România has provided the customer with all the necessary information to enable him to give his non-defective, express, free and specific consent to the conclusion and express acceptance of the contract, including all the contractual documentation, the General Terms and Conditions and the Brochure of Tariffs and Services;

(iii)      he has been informed of and has consented to the following:

the processing of personal data for the purposes referred to in Article 1.15 of the General Terms and Conditions;

the keeping [by Orange] of copies of documents containing personal data for the purposes of identification;

the agreement to the processing of personal data (contact number and email) for direct marketing purposes;

the agreement to the processing of personal data (contact number and email) for market research purposes;

I have read and expressly agree to the keeping of documents containing personal data relating to state of health;

the data referred to in Article 1.15(10) of the General Terms and Conditions are not included in subscriber information and subscriber directory services.’

16.      According to the ANSPDCP, Orange România has failed to prove that customers made an informed choice as to the collection and storage of the copies of their identity papers.

17.      Orange România brought an action against the fine of 28 March 2018 before the referring court.

18.      According to the findings of the referring court, there are contracts in which the choice freely expressed by the customer as regards the retention of a copy of his or her identity document is indicated by the insertion of a cross in a box, as well as contrary cases in which the customers have refused to express such agreement. It would appear from Orange România’s ‘internal procedures’ for selling that, in the latter cases, Orange România introduced the necessary information regarding the customer’s refusal to keep a copy of the identity document by completing a specific form to this effect and then concluded the contract. Thus, despite the indications contained in the Orange România’s general terms and conditions, Orange România did not refuse to conclude subscription contracts with customers, even when they refused to consent to the retention of a copy of their identity card.

19.      The referring court considers that, in these circumstances, it is particularly important for the Court to rule on the criteria for determining whether consent is ‘specific’ and ‘informed’ and, where appropriate, on the probative value of the signature of contracts such as those at issue in the main proceedings.

20.      It is in these circumstances that, by order of 14 November 2018, received at the Court on 29 January 2019, the Tribunalul Bucureşti (Regional Court, Bucharest) referred the following questions for a preliminary ruling:

‘(1)      For the purposes of Article 2(h) of [Directive 95/46], what conditions must be fulfilled in order for an indication of wishes to be regarded as specific and informed?

(2)      For the purposes of Article 2(h) of [Directive 95/46], what conditions must be fulfilled in order for an indication of wishes to be regarded as freely given?’

21.      Written observations were lodged by the parties to the main proceedings, the Romanian, Italian, Austrian and Portuguese Governments and the European Commission. Orange România, the Romanian Government and the European Commission were represented at the hearing that was held on 11 December 2019.

 Assessment

22.      In the present case, the Court is called upon to specify the conditions under which consent to the processing of personal data may be considered valid.

 Preliminary remarks

 On the applicable legal instruments

23.      Regulation 2016/679, which has been applicable since 25 May 2018, (9) repealed Directive 95/46 with effect from the same date. (10)

24.      The decision of the ANSPDCP at issue in the main proceedings was adopted on 28 March 2018, which precedes the date from which Regulation 2016/679 is applicable. Nevertheless, the ANSPDCP not only imposed a fine on Orange România but also required it to destroy the copies of the identity documents at issue. The dispute in the main proceedings also relates to this latter injunction. This injunction has effect for the future, which is why that regulation appears to be applicable in so far ratione temporis.

25.      As a consequence, the questions referred should be answered having regard to both Directive 95/46 and Regulation 2016/679. (11) Moreover, that regulation will have to be taken into account in the analysis of the provisions of Directive 95/46. (12)

 Defining the scope of the questions for a preliminary ruling

26.      The two questions posed by the referring court are phrased in too general and abstract a manner and need to be somewhat adapted so as to match them with the facts of the main proceedings, in order to guide the referring court and provide a useful reply to the questions. In order to do this, I deem it essential to briefly point to the facts of the main proceedings as they result from the order of the referring court and information provided by the parties to the proceedings, notably during the hearing before the Court.

27.      The national data protection authority in Romania, the ANSPDCP, penalised Orange România for collecting and retaining copies of identity documents of its customers without their consent. That authority found that the company had concluded contracts for the provision of mobile telecommunication services and that copies of identity documents were annexed to those contracts. Those contracts allegedly stipulated that the customers had been informed and had given their consent to the collection and storage of those copies, as evidenced by the insertion of crosses in boxes in the contractual clauses. However, according to the findings of the ANSPDCP, Orange România has not provided evidence that, at the time the contracts were concluded, the customers concerned had made an informed choice as to the collection and storage of those copies.

28.      When a person wishing to enter into a contractual relationship with Orange România is advised by a representative from that company on the stipulations of a specific contract, that representative works, usually on a computer, with a template of a contract which contains a checkbox on the conservation of an ID document. The customer appears to be informed that this checkbox need not be ticked. If the customer does not agree with his or her ID document being photocopied and conserved, he or she has to document this, on the contract and in handwriting. This latter handwriting requirement appears to result from the internal sales rules of Orange România. Moreover, the customer is informed that he or she can refuse, but merely in oral, and not in written form.

29.      Against this background, I understand the two questions, which should be examined together, as the referring court seeking to ascertain whether a data subject intending to enter into a contractual relationship for the provision of telecommunication services with an undertaking gives his or her ‘specific and informed’ and ‘freely expressed’ consent within the meaning of Article 2(h) of Directive 95/46 and Article 4(11) of Regulation 2016/679, to that undertaking when he or she needs to state, in handwriting, on an otherwise standardised contract, that he or she refuses to consent to the photocopying and conservation of his or her ID documents.

30.      In this connection, the referring court appears to be in need of guidance as to the burden and standard of proof of that undertaking.

 Consent as a prerequisite for processing of personal data

31.      The case at issue concerns the processing of personal data when concluding a contract for the provision of telecommunication services.

32.      All processing of personal data must comply, (13) first, with the principles relating to data quality set out in in Article 6 of Directive 95/46 or in Article 5 of Regulation 2016/679 and, secondly, with one of the criteria governing the legitimacy of data processing listed in Article 7 of that directive or in Article 6 of that regulation. (14) As the Commission points out, the six criteria set out in Article 7 of Directive 95/46 are in fact the expression of a broader principle, laid down in Article 6(1)(a) of that directive, which provides that personal data must be processed fairly and lawfully.

33.      Article 7 of Directive 95/46 sets out an exhaustive list of cases in which the processing of personal data can be regarded as lawful. (15) The processing of personal data may only take place if at least one of the six criteria relating to the legitimacy of the data processing applies. The existence of the unambiguous consent of the data subject is one of these criteria.

 On the concept of consent

34.      The data subject’s consent in turn is defined in Article 2(h) of Directive 95/46 as any freely given specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.

35.      This wording largely corresponds (16) to that of Article 4(11) of Regulation 2016/679, according to which consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (17)

36.      The requirement of consent of a data subject is a central feature underlying EU data protection law. (18) It features in the Charter of Fundamental Rights of the European Union, where it is stipulated in Article 8 that data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by the law. Seen in a wider context, the concept of consent allows the data subject concerned to decide for him or herself on the legitimacy of restrictions to on his or her right to the protection of personal data. (19)

37.      The guiding principle at the basis of EU data protection law is that of a self-determined decision of an individual who is capable of making choices about the use and processing of his or her data. (20) It is the requirement of consent which enables him or her to make this choice and which at the same time protects him in situations which are by their very nature asymmetrical. (21) Only when consent is freely given, specific and informed does it meet the test of Directive 95/46 and Regulation 2016/679.

38.      Three further brief remarks should be made at this stage on the apparent difference in wording of these provisions.

39.      First, Article 4(11) of Regulation 2016/679, contrary to Article 2(h) of Directive 95/46, refers to an ‘unambiguous’ indication. I would submit that the reason for this is rather simple: Article 7(a) of that directive, on the criteria for making data processing legitimate, already referred to above, requires the data subject to ‘unambiguously’ give his or her consent, whereas the corresponding provision in Regulation 2016/679 — Article 6(1)(a) — does not contain this specification. In other words, that criterion of an unambiguous indication has simply been moved to the more general provision in Regulation 2016/679.

40.      Secondly, Article 4(11) of Regulation 2016/679 specifies that the data subject manifest himself ‘by a statement or by a clear affirmative action’. This clarification is indeed new to the regulation and is not semantically mirrored in Directive 95/46.

41.      Thirdly, as regards the ‘informed’ character of the consent of the data subject, the French language version of Directive 95/46 differs from that of Regulation 2016/679. While Article 2(h) of that directive refers to a ‘manifestation de volonté … informée’, Article 4(11) of that regulation speaks of a ‘manifestation de volonté … eclairée’.

42.      I would submit that this change in wording confuses more than it clarifies, for, so far as I can make out, the French language version is the only or, at the very least, one of the very few language versions to make this distinction. A number of language versions, among them incidentally the other Romance languages, quite simply use exactly the same terms in this connection, (22) while other language versions may slightly differ on this point, but still fall short of the difference in the French language version. (23)

43.      I shall come back to the notion of ‘informed’ consent below.

 Freely given consent

44.      The requirement of an ‘indication’ of the data subject’s wishes clearly points to active, rather than passive behaviour (24) and necessitates that the data subject enjoys a high degree of autonomy when choosing whether or not to give consent. (25) With respect to the specific situation of an online lottery on a website, the Court has established that consent given in the form of a preselected tick of a checkbox does not imply active behaviour on the part of the website user. (26)

45.      It is my contention that such a finding is equally applicable for the analogue world: consent in the form of a preselected tick of a checkbox cannot imply active consent on the part of the person dealing with a physical document which he or she ultimately signs. Indeed, in such a situation, one does not know whether the pre-formulated text in question has been read and digested. The situation is not unambiguous. The text may or may not have been read. The ‘reader’ may have omitted to do so out of pure negligence, making it impossible to establish with clarity whether consent has been freely given. (27)

 Informed consent

46.      There must not be any room whatsoever for any doubt that the data subject was not sufficiently informed. (28)

47.      The data subject must be informed of all circumstances surrounding the data processing and its consequences. In particular he or she must know which data are to be processed, the duration of such processing, in what way and for which specific purpose. He or she must also know who is processing the data and whether the data are intended to be transferred to third parties. Crucially, he or she must be informed of the consequences of refusing consent: is consenting to the data processing a condition for concluding the contract or not? (29)

 On the burden of proof

48.      This leaves us with the question, on whom is it incumbent to demonstrate that a data subject was in such a situation as to be able to give his or her consent based on the criteria just established.

49.      Article 7(1) of Regulation 2016/679 is clear and leaves no room for doubt: when processing is based on consent, it is for the controller to demonstrate that the data subject has consented to processing of his or her data (30). This provision constitutes a specification of the principle of accountability, enshrined in Article 5(2) of Regulation 2016/679. I would contend that the purpose of this provision requires a broad interpretation in that the controller must not only prove that the data subject has given his or her consent, but must also prove that all the conditions for effectiveness have been met. (31)

50.      Some authors have doubts that Article 7(1) of Regulation 2016/679 deals with the burden of proof, pointing to the legislative history of that regulation. (32) It is claimed that while both the Commission and the Parliament proposed wording which explicitly referred to the ‘burden of proof’, such a wording is not reflected in the text adopted and therefore the law as it stands.

51.      This contention merits a closer analysis. 

52.      The initial Commission proposal (33) indeed refers to the ‘burden of proof’ which the controller has to bear. In a similar vein, the Parliament in first reading (34) did not take issue with this wording. It was the Council (35) which replaced the terms ‘burden of proof’ with the terms, in relation to the controller, ‘shall be able to demonstrate’. The final text was subsequently adopted in this form.

53.      I would not attribute too great an importance to this change of wording. (36) At no point in the recitals of its position does the Council state reasons for the proposed change in wording. (37) This is an indication that that institution merely sought to change the wording of the provision in question, without changing its meaning. Seen in this light, the terms ‘shall be able to demonstrate’ actually describe in a more accessible manner what is meant by ‘burden of proof’. (38)

54.      We can therefore safely assume that Article 7(1) of Regulation 2016/679 places the burden of proof for the data subject’s consent to the processing of the personal data on the controller. (39) Any doubts concerning the giving of consent of the data subject are to be eliminated by evidence to be provided by the controller. (40) The burden of proof that the data subject has been placed in a situation enabling him or her to give free, specific and informed consent squarely lies with the entity carrying out the processing.

55.      The legal situation under Directive 95/46 is no different in this respect.

56.      Even if Directive 95/46 did not contain a separate provision comparable to Article 7 of Regulation 2016/679 on the conditions of consent, most of the conditions laid down in that article could also be found in that directive. Although the burden of proof rule is not expressly laid down in that directive, it follows at least indirectly from its stipulation(41) that ‘the data subject has unambiguously given his consent’. (42)

 On the situation of Orange România

57.      I should now like to apply these criteria to the case at issue.

58.      As a preliminary remark I should like to state that the question whether or not Orange România can require its customers to consent to the copying and storing of their identity documents is outside the remit of this case given that, for that undertaking, this is not a prerequisite for the conclusion of a contract. The case at issue is, in other words, not about the interpretation of Article 7(b) of Directive 95/46 and Article 6(1)(b) of Regulation 2016/679. That said, it appears to me to be legitimate for a firm to ask customers to provide some personal data and in particular to prove their identity for the purposes of the conclusion of a contract. To require a customer to consent to the copying and storing of identity documents, however, appears to go beyond what is necessary for the performance of the contract.

59.      On the basis of the information available, it appears to me that the customers of Orange România do not give their free, specific and informed consent under the circumstances described by the referring court.

60.      First, there is no freely given consent. Obliging a customer to state in handwritten form that he or she does not consent to the copying and storing of his or her ID card does not permit freely given consent in the sense that the customer is put into a situation in which he or she perceptibly deviates from a regular procedure which leads to the conclusion of a contract. Customers must not in this connection feel that their refusal to consent to the copying and storing of their identity documents is not in line with regular procedures. I should like to recall in this respect that the Court has laid an emphasis on active behaviour on the part of the data subject with a view to giving his or her consent. (43) A positive action of the data subject is therefore required for giving consent. Yet, in the case at issue, the reverse situation appears to occur: a positive action is needed in order to refuse consent. Turning once more to the judgment in Planet49, (44) if unticking a pre-ticked checkbox on a website is considered too much a burden for a customer, then a fortiori a customer cannot reasonably be expected to refuse his or her consent in handwritten form.

61.      Secondly, there is no informed consent. It is not made crystal-clear to the customer that a refusal to the copying and storing of his or her ID card does not make the conclusion of a contract impossible. A customer does not choose in an informed manner if he or she is not aware of the consequences.

62.      Thirdly — and only on a hypothetical basis — there is no indication whatsoever that Orange România has managed to demonstrate that customers consented to processing of their personal data. In this respect, an evident lack of clarity in internal procedures is surely not conducive to furnishing the proof that consent has been given by the customer. Such lack of clarity and conflicting instructions to sales personnel obviously cannot be to the detriment of the customer, in casu the data subject.

 Conclusion

63.      In the light of the foregoing considerations, I propose that the Court answer the questions referred by the Tribunalul Bucureşti (Regional Court, Bucharest, Romania) as follows:

A data subject intending to enter into a contractual relationship for the provision of telecommunication services with an undertaking does not give his or her ‘consent’, that is, does not indicate his or her ‘specific and informed’ and ‘freely given’ wishes, within the meaning of Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and of Article 4(11) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), to that undertaking when he or she is required to state, in handwriting, on an otherwise standardised contract, that he or she refuses to consent to the photocopying and storage of his or her ID documents.


1      Original language: English.


2      Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).


3      Article 6 is the only article of Section I of Chapter II of Directive 95/46.


4      Article 7 is the only article of Section II of Chapter II of Directive 95/46.


5      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).


6      Monitorul Oficial al României, Partea I, No 790 of 12 December 2001.


7      In which case the recipient of the services pays in advance the price of the services to be provided.


8      In which case the price of the services provided by the company is paid by the recipient of the services after they have been provided on the basis of the invoices issued.


9      Pursuant to Article 99(2) of Regulation 2016/679.


10      See Article 94(1) of Regulation 2016/679.


11      See judgment of 1 October 2019, Planet49 (C‑673/17, EU:C:2019:801, paragraphs 38 to 43) for a similar approach in a comparable situation and my Opinion in the same case (C‑673/17, EU:C:2019:246, points 44 to 49). See also judgment of 11 December 2018, Weiss and Others (C‑493/17, EU:C:2018:1000, paragraph 39).


12      See judgment of 24 September 2019, GC and Others (De-referencing of sensitive data) (C‑136/17, EU:C:2019:773, paragraph 33).


13      Subject obviously to the exemptions and restrictions provided for in Article 13 of Directive 95/46 and Article 23 of Regulation 2016/679.


14      See judgment of 16 January 2019, Deutsche Post (C‑496/17, EU:C:2019:26, paragraph 57). See also judgments of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317, paragraph 71 and cited case-law), and of 11 December 2019, Asociaţia de Proprietari bloc M5A-ScaraA (C‑708/18, EU:C:2019:1064, paragraph 36).


15      See judgments of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito (C‑468/10 and C‑469/10, EU:C:2011:777, paragraph 30); of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779, paragraph 57); and of 1 October 2019, Planet49 (C‑673/17, EU:C:2019:801, paragraph 53).


16      See also Bygrave, L.A., Tosoni, L., in Chr. Kuner, L.A. Bygrave, Chr. Docksey (eds), The EU General Data Protection Regulation (GDPR), OUP, Oxford, 2020, Article 4(11), C.1., at p. 181.


17      Obviously, these criteria are cumulative in nature, meaning that there is a high threshold for valid consent, see Bygrave, L.A., Tosoni, L., in Chr. Kuner, L.A. Bygrave, Chr. Docksey (eds), The EU General Data Protection Regulation (GDPR), OUP, Oxford, 2020, Article 4(11), C.1., at p. 181.


18      See my Opinion in Planet49 (C‑673/17, EU:C:2019:246, point 57 et seq.). See also Heckmann, D. & Paschke, A., in E. Ehmann, M. Selmayr (eds), Datenschutz-Grundverordnung, Kommentar, C.H. Beck, Munich, 2nd ed., 2018, Artikel 7, point 9: ‘key cornerstone of data protection’.


19      See, in this sense, Buchner, B., Informationelle Selbstbestimmung im Privatrecht, Mohr Siebeck, Tübingen, 2006, p. 232, who refers to right to informational self-determination in this context (as developed by the German constitutional court since judgment of 15 December 1983, 1 BvR 209, 269, 362, 420, 440, 484/83, BVerfGE 65,1).


20      See, also, Klement, J.H., in S. Simitis, G. Hornung, I. Spieker gen. Döhmann I. (eds), Datenschutzrecht, Nomos, Baden-Baden, 2019, Artikel 7, point 1, who stresses that in a legal order based on and seeking to promote dignity, individual freedom and responsibility, the processing of personal data must be legitimised by a self-determined decision of the data subject.


21      See, moreover, recital 43 of Regulation 2016/679, which refers to situations in which there may be ‘a clear imbalance between the data subject and the controller’.


22      See, by way of example, the Spanish, (‘manifestación de voluntad … informada’), Portuguese (‘manifestação de vontade … informada’), Romanian (‘manifestare de voință … informată’), Danish (‘informeret viljetilkendegivelse’), Swedish (‘informerad viljeyttring’) and Maltese (‘infurmata’) language versions.


23      See, by way of example, the Dutch (‘op informatie berustende wilsuiting’ in the directive and ‘geïnformeerde wilsuiting’ in the regulation), Polish (‘świadome … wskazanie’ in the directive and ‘świadome … okazanie woli’ in the regulation) and German (‘Willensbekundung, die … in Kenntnis der Sachlage erfolgt’ in the directive and ‘in informierter Weise … abgegebene Willensbekundung’ in the regulation) language versions.


24      See judgment of 1 October 2019, Planet49 (C‑673/17, EU:C:2019:801, paragraph 52).


25      See Bygrave, L.A., Tosoni, L., in Chr. Kuner, L.A. Bygrave, Chr. Docksey (eds), The EU General Data Protection Regulation (GDPR), OUP, Oxford, 2020, Article 4(11), C.1., at p. 182.


26      Ibid.


27      See by analogy my Opinion in Planet49 (C‑673/17, EU:C:2019:246, point 62). See also judgment of 1 October 2019, Planet49 (C‑673/17, EU:C:2019:801, paragraph 55).


28      Ultimately, informed consent is rooted in the principle of transparency, as enshrined in Article 5(1)(a) of Regulation 2016/679, see Bygrave, L.A., Tosoni, L., in Chr. Kuner, L.A. Bygrave, Chr. Docksey (eds), The EU General Data Protection Regulation (GDPR), OUP, Oxford, 2020, Article 4(11), C.4., at p. 184.


29      According to some authors, the catalogue of information referred to in Articles 10 and 11 of Directive 95/46 is not exhaustive, so that the controller may also provide the data subject with other relevant information on the conditions of use of personal data. See, for example, Mednis, A., ‘Cechy zgody na przetwarzanie danych osobowych w opinii Grupy Roboczej Art. 29 dyrektywy 95/46’, Monitor Prawniczy (dodatek) 2012, No 7, p. 27.


30      According to this provision, the controller shall be responsible for, and be able to demonstrate compliance with the fact that personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject.


31      See in this sense also Stemmer, B., in St. Brink, H.A. Wolff, Beck’scher Onlinekommentar Datenschutzrecht, C.H. Beck, Munich, 30th ed., state as on 1 November 2019, Artikel 7 DSGVO, point 87, and Buchner, J., Kühling, B., in J. Buchner, B. Kühling (eds), Datenschutz-Grundverordnung/BDSG, Kommentar, C.H. Beck, Munich, 2nd ed. 2018, Artikel 7 DS-GVO, point 22.


32      See Klement, J.H., in S. Simitis, G. Hornung, I. Spieker gen. Döhmann (eds), Datenschutzrecht, Nomos, Baden-Baden, 2019, Artikel 7, point 46.


33      In the initial Commission proposal, Article 7(1) read as follows: ‘The controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes’. See Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, p. 45.


34      The Parliament in first reading did not propose to alter the wording of Article 7(1) as regards the terms ‘burden of proof’. It merely contented itself with specifying that Article 7(1) concerned a situation in which the processing is based on consent. See European Parliament legislative resolution of 12 March 2014 on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 (OJ 2017 C 378, p. 399, at p. 428).


35      ‘Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.’ See Position (EU) No 6/2016 of the Council at first reading with a view to the adoption of a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), adopted by the Council on 8 April 2016 (OJ 2016 C 159, p. 1), at p. 36.


36      See in this sense also Kosta, E., in Chr. Kuner, L.A. Bygrave, Chr. Docksey (eds), The EU General Data Protection Regulation (GDPR), OUP, Oxford, 2020, Article 7, C.2., at pp. 349-350.


37      See, in particular, recitals 42 and 43 which state reasons for Article 7.


38      An interesting conceptual explanation for why the burden of proof is on the controller is presented by Buchner, B., Informationelle Selbstbestimmung im Privatrecht, Mohr Siebeck, Tübingen, 2006, pp. 243-245, who draws an analogy with the situation, under national law, of the liability of medical practitioners where the burden of proof is also on those who carry out the restriction of the right in question.


39      This is, moreover, the largely prevailing view in legal literature, see Klabunde, A., in E. Ehmann, M. Selmayr (eds), Datenschutz-Grundverordnung, Kommentar, 2nd ed., C.H. Beck, Munich, 2018, Artikel 4, point 52; Stemmer, B., in St. Brink, H.A. Wolff, Beck’scher Onlinekommentar Datenschutzrecht, C.H. Beck, Munich, 30th ed., state as on 1 November 2019, Artikel 7 DSGVO, point 87; Buchner, J., Kühling, B., in J. Buchner, B. Kühling (eds), Datenschutz-Grundverordnung/BDSG, Kommentar, C.H. Beck, Munich, 2nd ed. 2018, Artikel 7 DS-GVO, point 22; and Barta, P., Kawecki, M., in P. Litwiński (ed), Rozporządzenie UE w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i swobodnym przepływem takich danych. Komentarz, C.H. Beck, Warsaw 2018, Article 7 of the Regulation, point 1.


40      See, also, in this sense, Heckmann, D., Paschke, A., in E. Ehmann, M. Selmayr (eds), Datenschutz-Grundverordnung, Kommentar, 2nd ed., C.H. Beck, Munich, 2018, Artikel 7, point 72.


41      See Article 7(a) of Directive 95/46. My emphasis.


42      See in this sense also, among many, Buchner, J., Kühling, B., in J. Buchner, B. Kühling (eds), Datenschutz-Grundverordnung/BDSG, Kommentar, C.H. Beck, Munich, 2nd ed., 2018, Artikel 7 DS-GVO, points 5 and 22.


43      See judgment of 1 October 2019, Planet49 (C‑673/17, EU:C:2019:801, paragraph 54).


44      See judgment of 1 October 2019 (C‑673/17, EU:C:2019:801).