Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

GDPR consent guidelines- explicit consent

The General Data Protection Regulation (GDPR) has introduced a number of new terms and redefined the existing ones.

We are now slowly inclined to believe we are getting the basics of the GDPR. However, consent – one of the most talked-about GDPR terms, is a great example of how it is not quite so, especially when it comes to explicit consent.

Consent and explicit consents are one and the same, right? Not exactly.

If you want to learn more about consent from a GDPR perspective read:

[RELATED TOPIC: What are GDPR requirements for compliant consent]

What is explicit consent?

Explicit consent is not directly mentioned in the GDPR definition of consent. However, “regular” consent and explicit consent share all the same characteristics and prerequisites.

It should be freely given, specific, informed, and unambiguous to live up to a high GDPR standard for valid consent.

The main difference between consent and explicit consent is in the form or way they are given or expressed by the individual (data subject).

The data subject can give consent either by a statement or by clear affirmative action. When consent is given by a statement, it is considered to be explicit.

Consent is one of the six lawful bases for processing personal data. A simple GDPR explanation of consent, as specified in Article 4, describes it as:

“… any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Characteristics of compliant consent

Characteristics of compliant consent

1. Freely given

Freely given consent means you have presented data subjects with a genuine choice and made it possible for them to refuse or withdraw their consent at any given time. There are a few situations where it is arguable if consent can be considered freely given.

For example, in employee-employer relationships, where there is an uneven distribution of power, which can affect employees to give consent to avoid unpleasant situations at work.

[RELATED TOPIC: Procesing personal data of employees]

2. Specific

For consent to be considered specific, it must be given for each specific purpose, and the data subject needs to be presented with the choice in relation to each of them. In order to comply with the element of specific, you must apply:

  • Purpose specification as a safeguard
  • Granularity in consent requests
  • Clear separation of information related to obtaining consent for data processing activities from information about other matters

3. Informed

Simply put, the data subject needs to be informed about what they agree to before you collect their consent.

4. Unambiguous

Consent requires a statement from the individual or a clear affirmative action, which means it has to be given through an active motion or declaration. It must be evident that the data subject wanted to provide you with their consent.

When do you need to collect explicit consent?

Explicit consent is required when there are certain situations where there is a serious data protection risk and a higher level of control over processing personal data is required.

WP guidelines mentioned a few situations where you need to obtain explicit consent:

situations where you are obligated to collect explicit consent

  • when processing sensitive personal data
  •  when transferring data to third countries or international organizations in the absence of appropriate safeguards pursuant to Article 46
  •  on automated individual decision-making, including profiling.

1. Processing sensitive personal data

Processing sensitive personal data that reveal racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, and biometric data is prohibited.

However, there are few exemptions from the rule. One of those applies if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law prohibits such processing.

[RELATED TOPIC: Sensitive personal data - special category under the GDPR]

2. Transferring data to third countries

When you are transferring personal data to a third country or international organization, you can do so with no specific authorization if this territory, third country, or organization ensures an adequate level of protection (this is decided by the EU Commission).

However, there is still a possibility for you to transfer personal data if such a level of protection is not present if the data subject gives you explicit consent. In this case, you ought to disclose full information on potential risks due to a lack of appropriate safeguards.

3. Automate decision-making

There are three situations where automated decision-making (including profiling) is compliant.

When it is necessary for the performance of the contract between the data subject and the data controller.

When such processing is authorized by the EU or Member State, and finally when it is based on explicit consent.

Suppose you are relying on explicit consent for automated decision-making. In that case, you will have to implement “suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.” (Art. 22)

How to obtain explicit consent?

There is more than one way to obtain explicit consent.

different ways you can collect explicit consent according to the GDPR

A written statement signed by the data subject would be considered clear evidence of explicit consent. However, in a digital era, explicit consent would be obtainable by filling the online forms or scanning the written and signed statement, sending an e-mail, or even using an electronic signature.

In theory, the oral statement can also be considered explicit consent. However, it can get pretty difficult to provide evidence of such consent later on.

You can obtain explicit consent from a website visitor by offering Yes and No checkboxes and providing a statement that clearly indicates consent.

On the other hand, the clear affirmative action could include choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes, or inactivity do not constitute consent.

How to demonstrate explicit consent?

Demonstrating consent can be a very delicate task. Demonstrating compliant consent is always an obligation of a data controller.

However, GDPR does not prescribe which method to use or how to manage the process.

After the processing activity ends, proof of consent should be kept no longer than strictly necessary for compliance with a legal obligation, exercise, or defense of legal claims.

Aas long as a data processing activity in question lasts, the obligation to demonstrate consent exists.

But what if the data subject asked for their data to be deleted, and later on you are asked to provide proof that your communication up to that point was compliant?

This may complicate things even further. Instead of finding a semi-solution, consent management software can be the safest way to manage consents.

It can help you consolidate your data, give you a stamp of consent, and enables you to demonstrate compliance for any data subject on any level at any point in time even when they exercised the right to be forgotten.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top