In order for the processing of personal data to be lawful, it must meet at least one of the six grounds set out in Article 6(1) of the Applied GDPR.
Consent is one of those grounds: consent to the processing only becomes necessary if NONE of the other five grounds for processing applies.
To rely on consent as the ground for processing, a controller must be able to demonstrate that they have obtained valid consent.
Where the personal data being processed includes special category data, and the “explicit consent” exception to the prohibition on processing special category data is being relied upon, the controller must be able to demonstrate that “explicit consent” has been given.
Consent is defined in Article 4 of the Applied GDPR as:
any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
The legal requirement for consent is intentionally challenging and requires all the elements of the above definition to be met. There is no room for ambiguity in obtaining or evidencing consent.
Detailed information about the requirements for valid consent are in the guidance note.