Consent is one possible basis on which data may be lawfully processed. Another legal basis is, for example, the legitimate interests of data controllers. When giving consent, it is important that data subjects make a clear statement of intent that their data may be processed: Consent must be informed, unequivocal and voluntary.

Data subjects must be clearly informed that their consent to data processing is requested. It is not permitted to obtain consent to data processing for several different purposes at once (see also Purpose limitation). Instead, data subjects must give their consent separately for each purpose. This can be achieved, for example, if consumers actively tick a box on a website or if they exhibit other behaviour that makes it clear that they agree to the processing of their personal data. For the processing of particularly sensitive data, express consent is required; consent by coherent action is not possible here.

Once data subjects have given their consent, they can revoke it at any time. Children under 13 years of age cannot give consent themselves, but need their parents to give consent.

Requiring consent to be voluntarily given also includes the prohibition of coupling (Article 7(4) GDPR): Giving consent to data processing for the performance of a contract may not be linked to giving consent to any other data processing which is not necessary for the performance of the contract. However, it is still unclear how exactly the prohibition of coupling will work in practice, as the General Data Protection Regulation leaves various questions open. Courts will have to decide the exact content and scope of the prohibition of coupling.

Article 4(11) GDPR (Definitions)

“consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Source: Regulation (EU) 2016/679 (see also recitals 32, 33, 42 and 43)

Article 7 GDPR (Conditions for consent)

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Source: Regulation (EU) 2016/679 (see also recitals 32, 33, 42 and 43)

Go to article Go to video Go to sample letter