Conditions for Valid Consent

The processing of your personal data is considered lawful only if it falls under one or more of the lawful bases for processing under article 6(1) of the General Data Protection Regulation (EU) 2016/679 (the GDPR). Article 6(1) GDPR sets out six lawful bases, namely, consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests.

It is the responsibility of the organisation that determines why and how your personal data will be used (the controller) to identify and rely on an appropriate lawful basis, to ensure that the envisaged processing activity complies with the GDPR. While consent is perhaps the most well-known of the lawful bases, it should not be regarded as the best or the default choice, as the GDPR does not establish any hierarchy for the lawful bases. Instead, what is the most appropriate lawful basis will depend on the nature and context of the specific processing activity.

In certain contexts, obtaining valid consent is difficult, since the conditions that must be met for consent to be valid are rather strict. The definition of consent in article 4(11) GDPR sets out the conditions for valid consent, which are specified in further detail in article 7 and recital 32 GDPR. In a nutshell, the controller must be able to demonstrate that the data subject has consented in a manner that is freely given, specific, informed, and unambiguous, through a clear statement or clear affirmative action:

Freely given consent

This means that you must be able to grant your consent to the processing of your personal data freely and voluntarily. In other words, you must have a genuine choice and real control over the decision. If you feel compelled to consent to the processing, or that there may be negative consequences for refusing or withdrawing your consent, then that consent is not considered to be freely given, and consequently, is not valid under the GDPR.

Freely given example

If you are asked to give your consent to processing in an employment context, that consent is generally not considered to be freely given. This is because of the inherent imbalance of power that exists between the employer and the employee, which often makes it difficult for the employee to refuse or withdraw their consent without fearing that they may face repercussions for doing so. This does not mean that your employer cannot process your personal data, however, the employer would need to consider an alternative lawful basis for the processing other than consent.

Specific consent

This means that, where the processing is carried out for multiple different purposes, you must be able to provide your consent for every specific purpose, such that you have a real choice in relation to each of them. Broad or blanket consent requests covering multiple purposes are not considered valid under the GDPR. Instead, consent requests must be granular and must clearly set apart information related to obtaining your consent for the processing, from information about other non-processing matters.

Specific consent example

If the request for consent is bundled together with a request for you to accept certain terms and conditions, or is tied to the performance of a contract or provision of a service, then that consent would not be considered to be specific, and would not be valid under the GDPR, unless the processing activity is actually necessary to perform the contract or provide the service.

Informed consent

This means that you must fully understand what you are being asked to consent to, including your rights as a data subject and the ability to withdraw your consent at any time. In order for your consent to be valid under the GDPR, this information must necessarily be provided in clear and plain language, and in a manner that is intelligible and easily understandable, ensuring that you are well-informed about the envisaged processing activity when deciding whether or not to agree to the processing.

Informed consent example

If information about the envisaged processing activity is presented to you in a form that is unnecessarily lengthy or using complex legal language that is not readily understood by the target audience, it would likely fail to meet the standard for informed consent under the GDPR. Instead, you should be given the required information in a clear and accessible manner, using a layered format or bullet points where possible, so that it is clear what you are being asked to consent to.

Unambiguous consent

This means that you must actively express your consent in a way that leaves no doubt as to whether you agree to the processing of your personal data. This must be done either through a clear statement or through a clear affirmative act. In certain situations, it may be possible to express your consent verbally. However, expressing your consent in writing, whether physically or electronically, is generally considered the best approach, as it provides clear evidence of your choice.

Unambiguous consent example

If a website banner displays pre-ticked boxes indicating your consent to certain processing activities, this means that the controller is making an assumption that you consent, which would not be considered as valid under the GDPR. Instead, the box should be left unticked, requiring you to take a deliberate action to indicate your consent to the specific processing activity.

The European Data Protection Board has endorsed guidelines on the lawful basis of consent that were previously adopted by the Article 29 Working Party. These guidelines (accessible here) provide further useful information on the conditions that must be satisfied for consent to be valid, as well as practical examples on when consent may constitute an appropriate lawful basis for processing personal data.