How to obtain a GDPR-compliant consent?

Under the General Data Protection Regulation (GDPR), consent is one of the more well-known legal bases upon which personal data can lawfully be processed. At a first glance, it seems easy to understand: If the data subject consents, consent exists. However, under GDPR, consent is much more than just someone agreeing to something.

Consent can create a solid legal basis but to be binding the following specific requirements must be fulfilled:

  • Freely given, the data subject should have the choice to give his/her consent and not be disadvantaged if he/she doesn’t want to agree.
  • Specific, the data subject must be asked to consent separately to different purposes of data processing.
  • Informed, the data subject needs to be informed about what he/her is consenting to, what and how data will be processed, and the right to withdraw consent, in a way he/she can easily understand.
  • Unambiguous, the data subject needs to demonstrate his/her agreement by statement or clear affirmative action, such as selecting a non-pre-ticked box.
  • Withdrawal, the data subject should have the possibility to withdraw given consent at any time for the future easily, and without detriment.
    Example for the requirement “specific”:

These strict obligations are tied to a valid consent imposing practical challenges. For example, the data controller should act on a data subject’s request to withdraw his/her consent within one month of receipt of the request. Furthermore, when relying on consent for processing data, you must keep evidence of consent, meaning the paper with the signature of the data subject or the log file if consent has been collected online (double opt-in is appropriate in the latter case). The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal, so the data controller should keep evidence also in case of withdrawal.

In this context, it is advisable only to rely on obtaining consent from data subjects where none of the other bases are engaged. An example would be where you are processing sensitive personal data. In this case explicit consent is required, unless another legal ground is applicable, as when processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject).

Under GDPR, a data subject can give consent if she/he is of age or, in relation to the offer of information society services directed to a child, he/she can be 16 or even less (but not younger than 14) if permitted by applicable local laws.
On 11 November 2020, the Court of Justice of the European Union (CJEU) issued judgment in Orange România case (C-61/19) on the issue of valid consent under the GDPR. In its decision the CJEU emphasized the GDPR specific requirements for lawful consent requests, and that consent is not validity given in the case of silence, pre-ticked boxes, or inactivity.
Therefore, it is important to carefully handle this topic, to avoid subsequent fines for non-compliance with the GDPR.

Dott.ssa Silvia Gorlani
Legale in-house specializzata in Privacy
Agnès Terreau
Senior Consultant Data Protection