What is consent?

Article 4(11) of the GDPR states that consent is any freely given, specific, informed, and unambiguous expression of the individual’s choices regarding the processing of his or her personal data for one or more specific purposes.

“consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The purpose of consent is to give individuals control over their data. So, the right question to ask when collecting personal information is: “Have you given the individual a real choice and real control over the processing of their data?”

Characteristics of consent

For the GDPR consent to be valid, it must have certain characteristics:

➡️ It must be given with explicit affirmative action, and processing purpose needs to be thoroughly explained to the individual.
➡️ There should be no influence or repercussions that can affect an individual’s choice.
➡️ It needs to be distinguishable from other matters
➡️ Consent can be given as a written statement, including the electronic form or oral form,
➡️ It needs to be given in an easily accessible form, and clear and understandable language.
➡️ The data subject should be able to withdraw consent as easily as it was given without negative consequences for the data subject.
➡️ Consent should be an expression of data subjects’ real choice.
➡️ Consent requires a positive opt-in, which means the methods of default consent are non-compliant.
➡️ Make sure it is specific and granular
➡️ Giving consent should not be a precondition for the service you provide

5 things to know about consent

Consent must be given with affirmative action or statement

It must be given with affirmative action, and processing purposes needs to be thoroughly explained to the individual. As the Recital 32  propagates:

“This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.”

Consent needs to be distinguishable from other matters

This means they should be separate from your terms and conditions. Article 7 (2) indicates: 

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters…”

Consent must be easily withdrawn

Article 7 (3):

“The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3 Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”

Consent as one of the lawful bases for processing

Consent is one of the 6 lawful bases for data processing further described in Article 6 of the GDPR. Before you start to collect consents, the data controller should identify a valid lawful basis for the collection, processing, storage or usage of personal data.

Choosing the right lawful basis will depend on the purpose of the processing and specific circumstances.

Before you start processing personal data, the lawful basis should be set and documented.

Other lawful bases for processing can also be:

➡️Contract: Contract will be a valid lawful basis when processing is necessary for the performance of the contract of which the data subject is the party, or in order to take action at the request of the person before the contract is concluded. The important thing to note is that the collected data can only be processed to fulfill the purpose of the contract and can only be used for that specific purpose.
➡️ Legal obligation: the processing of personal data is necessary for a company to comply with the law.
➡️ Protection of vital interests: The processing is necessary to protect someone’s life or freedoms.
➡️ Public task: the processing is necessary for performing a task in the public interest.
➡️Legitimate interests: the processing is necessary for the purpose of data controllers’ legitimate interests or the legitimate interests of a third party.


Consent Management

If you are collecting consents, then you need to find a way to manage them. What does that mean? Every consent goes through its own lifecycle.

For example: if I (as a data subject) give you (the data controller) my permission to process my personal data, you will have to note:

➡️ the date when the consent was given,
➡️ who gave you consent
➡️ what did you communicate,
➡️ how was the consent given (in which form)
➡️ for which purpose was the consent given
➡️ possible withdrawal of the consent

GDPR Article 7: “Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.”

If data subject withdraws consent, you are going to have to record that and propagate that notice across multiple marketing platforms, so when you send a newsletter or communicate any other message, you know you have to opt me out of that communication.

You also have to keep the record of a given consent (even if data subject withdrew it) so you can prove to the supervisory authority that the previous communication was based on legal consent.

Data retention and data removal are proven to be the most neglected part of consent management as well as the most complex one.

The reason for that is because consent management solutions are rarely made for SME businesses or don’t have a self-service interface for managing data subjects’ privacy preferences that allow simple but highly secured access to their personal preferences or displays all available consents with easy OPT-IN or OPT-OUT status change.