First of all, according to the GDPR regulations, if a controller processes personal data on the basis of the consent of the data subject, it is obliged to show that it has received consent for personal data processing from that person and that the consent was received in a lawful manner. To fulfill this obligation the controller must keep all the relevant documentation.
According to the GDPR, if the data subject agrees to process his or her personal data in a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
Therefore, in the case where an insurance company in the insurance application places a request for consent to process sensitive data, such consent must be graphically distinguished and be separate from other information being the subject of such application. The clear distinction of a request for processing of personal data contained in a declaration which also concerns other matters is highly important as, pursuant to the GDPR, any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
According to the GDPR rules, the consent to the processing of personal data should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement. The GDPR regulations explicitly indicate that such consent may be received by ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.
The GDPR rules in this regard ultimately determine the question of the pre-ticked boxes which has been repeatedly raised by the Inspector General for the Protection of Personal Data. In the light of GDPR silence, pre-ticked boxes or inactivity do not constitute consent. An important aspect of giving consent to the processing of personal data to which the GDPR provisions refer is its voluntary nature. When assessing whether consent is freely given, the utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Consent is also not considered to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.