An employer wants to rely on the consent condition in Article 9(2)(a) to process the trade union membership of staff for an internal diversity programme. A data protection officer warns that this consent route carries a heightened standard compared with ordinary Article 6(1)(a) consent. What is the key additional requirement that makes Article 9(2)(a) consent harder to satisfy?
- AThe consent must be obtained in writing on a physical document, because electronic consent is insufficient for any special category of personal data.
- BThe consent must be explicit, meaning expressed through a clear affirmative statement rather than inferred from conduct or a pre-ticked arrangement. Correct
- CThe consent must be renewed by the data subject every six months, because special category consent automatically expires under the storage limitation principle.
- DThe consent must be approved in advance by the competent supervisory authority before the trade union data can be processed.
Why A is wrong: A signed paper form feels rigorous, but the GDPR does not mandate a particular medium; electronic consent is valid, so form of recording is not the distinguishing requirement.
Why B is correct: Correct: Article 9(2)(a) requires explicit consent, a higher bar than ordinary consent, demanding an express statement of agreement rather than consent inferred from action, which distinguishes it from Article 6(1)(a).
Why C is wrong: Periodic renewal sounds prudent given storage limitation, but the GDPR sets no fixed expiry for consent; validity depends on it remaining freely given and informed, not on a mandatory interval.
Why D is wrong: Prior authorisation is plausible because some high-risk activities involve the supervisory authority, but Article 9(2)(a) consent requires no regulator sign-off; prior consultation under Article 36 is a separate, narrow mechanism.