How do consent requirements change under the GDPR?

The GDPR states - consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Without a lawful basis, the processing of personal data is, well…unlawful.  Consent provides one such lawful basis for the processing personal data, bearing in mind certain consent conditions such as in Article 7 and Article 8.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

  • clear affirmative act – that is, not based on silence, inactivity or pre-ticked boxes
  • unambiguous – there can be no room for doubt as to the data subject’s intent for providing consent
  • specific – to a single purpose and not a blanket consent for multiple purposes
  • freely given – consent must reflect the data subject’s genuine and free choice and the data subject must be able to withdraw consent without detriment.  There can be no element of compulsion, undue pressure, incentivising or conditions imposed on the giving of consent

Children merit specific protection with regard to their personal data. Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. Make it easy for people to withdraw consent and tell them how. 

Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of the GDPR, so as to allow the controller to continue such processing after the date of application of the GDPR.

Learn more about Managing Consent here

The content herein is provided for your convenience and does not constitute legal advice.
GDPR Compliance Ltd 2017

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.