The data subject's consent is defined in Article 4 of the Applied GDPR as:
any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
Recitals 32 and 42-43 provide further guidance on consent.
The controller must be able to demonstrate, and evidence, that consent was given. Consent can be withdrawn at any time and it must be as easy to withdraw consent as to give it (this does not invalidate any processing prior to withdrawal of consent).
There is no room for ambiguity in obtaining or evidencing consent.
Consent is not freely given if;
- it does not allow separate consent to be given to different data processing operations despite being appropriate in the individual case
- the data subject has no genuine and free choice and is unable to refuse or withdraw consent without detriment
Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be sought and granted for each of the distinct processing purposes.
Explicit consent is required to justify the processing of special categories of personal data.
The identity of the controller and the intended purposes of processing must be communicated to the data subject.
Electronic consent must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
The data subject must be able to easily distinguish and separate which data is processed on what grounds and make a properly informed decision in respect of processing which is only based on their consent. It should not be "bundled" with other written agreements or statements, for example as part of general terms and conditions.
'unambiguous indication of ... wishes'
Consent is active and can be given by a written, electronic or oral statement. For example,
- by ticking a box on a website
- by choosing technical settings for information society services or
- by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
Silence, inactivity or the use of pre-ticked boxes does not constitute consent.
Where consent is not valid
The performance of a contract or provision of a service shall not be conditional on the consent to the processing of data that is not necessary for that contract or service. The condition for processing personal data which is necessary for the performance of a contract does not require consent as another relevant condition for processing usually applies (Applied GDPR Article 6(1)(b)).
Consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and this makes it unlikely that consent was given freely in all the circumstances of that specific situation.
Consent and children's data
Special rules apply in relation to the offering of Information Society Services directly to children below the age of 16 (or to those not less than 13 years old depending on the law in the country).
The processing shall only be lawful if consent is given by a person with parental responsibility for that child and the controller makes reasonable efforts to verify that valid consent has been given.
Further in-depth guidance on consent is being generated. However, comprehensive guidance on consent is already available on the UK Information Commissioner's website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/