CONTACT

Data Protection Consent 

Whether in an online store, a newsletter, or a customer survey—personal data is processed everywhere. To ensure such processing is lawful, a clear legal basis is required. Often, this basis is the data protection consent of the data subject. 

Unlike other legal grounds, the GDPR requires that consent be given voluntarily and in an informed manner. This sets a high standard for its design and documentation. This article outlines the key aspects to consider. 

Would you like to ensure your company complies with the GDPR requirements? With // PRIMA, you get an immediately deployable tool offering comprehensive support for optimized data protection management. Try our all-in-one solution free for 14 days

What is Data Protection Consent? 

The General Data Protection Regulation defines consent in Article 4(11) GDPR as a voluntary, specific, informed, and unambiguous indication of the data subject’s wishes. This can be given by a statement or a clear affirmative action. 

The legal basis for processing based on consent is Article 6(1)(a) GDPR. Accordingly, processing is lawful if the data subject has given consent for one or more specific purposes. 

For special categories of personal data—such as health or biometric data—stricter requirements apply. Article 9(2)(a) GDPR mandates explicit consent due to the heightened need for protection. 

Unlike other legal bases such as contract fulfillment or legitimate interest, consent must be freely given and can be withdrawn at any time. This makes it a particularly sensitive legal basis that requires careful collection and documentation. 

Explicit consent may also serve as the legal basis for automated individual decision-making, including profiling, under Article 22(2)(c) GDPR. Examples include automated applicant management or creditworthiness assessments using scoring systems. 

Typical Use Cases 

  • Newsletters: May only be sent with explicit consent (e.g., double opt-in). 
  • Cookies and tracking: Consent is required for non-essential cookies. 
  • Publication of photos: Consent is required, especially for advertising purposes. 
  • Customer surveys: Consent is required when processing personal data. 

Common Mistakes 

  • Lack of transparency: If the purpose and scope of data use are unclear, the consent is invalid. 
  • Pre-selected checkboxes: Consent must not be obtained using pre-ticked boxes. 
  • Tying consent to service: If the provision of a service is conditional on consent without necessity, the consent is not voluntary. 
  • Missing documentation: Failure to document consent can result in fines if challenged. 

Requirements for Valid Consent

For consent to be valid under the GDPR, several conditions must be met. These requirements protect data subjects from being pressured or misled. 

Voluntariness 

Consent must be given freely. This means that the data subject must not face coercion or significant disadvantages for refusal. A genuine choice must exist. Consent is particularly questionable when it is tied to the provision of services (“bundling prohibition”). 

Informed and Transparent 

Consent is only valid if the data subject is fully informed. Article 7(2), Article 13, and Article 14 GDPR require that the following be communicated clearly and understandably: 

  • The identity of the controller, 
  • What data is being processed, 
  • The purpose of the processing, 
  • Whether data is shared with third parties, 
  • How long data will be stored, 
  • The right to withdraw consent at any time. 

Clear Affirmative Action 

Consent must be given through a clear affirmative action. Silence, inactivity, or pre-selected options are not sufficient. Valid forms include: 

  • Actively ticking a checkbox, 
  • Written declarations, 
  • Electronic confirmation, 
  • Verbal consent (if verifiable). 

Form and Documentation 

Consent may be given in writing, electronically, or orally. In all cases, the controller must be able to prove that valid consent was obtained (Art. 7(1) GDPR). In practice, written or electronic records are advisable. 

It must also be documented that the consent meets all legal requirements. 

Consent from Children and Adolescents 

When obtaining consent from minors, specific rules apply. Under Article 8 GDPR, children under the age of 16 may only give valid consent to information society services (e.g., apps, social networks) with parental authorization. 

Controllers must take appropriate measures to ensure that parental consent is genuinely obtained. A simple checkbox is usually insufficient. Signed declarations or email confirmations are more appropriate. 

Importantly, information about data processing must be presented in child-friendly, comprehensible language. 

Withdrawal of Consent 

Consent does not grant unrestricted permission to process data. Data subjects have the right to withdraw their consent at any time, without needing to provide a reason (Art. 7(3) GDPR). 

Right to Withdraw at Any Time 

Withdrawal must be as simple as giving consent. Organizations are required to inform data subjects about this right prior to obtaining consent. For example, every newsletter must contain a clearly visible unsubscribe link. 

Effect of Withdrawal 

Once consent is withdrawn, data processing for the related purposes must cease immediately. However, withdrawal does not retroactively affect the legality of prior data processing. 

Controller’s Obligations 

Upon withdrawal, the controller must: 

  • Immediately cease data processing for the affected purposes, 
  • Delete the data unless another legal basis applies, 
  • Document the withdrawal to provide evidence if needed. 

In practice, companies should implement streamlined processes to ensure rapid and efficient handling of withdrawals to avoid penalties. 

Special Cases of Consent 

Special categories of personal data, such as health or biometric information, are subject to enhanced protection. Their processing is generally prohibited unless an exemption under Article 9(2) GDPR applies—particularly explicit consent

What Constitutes Special Categories of Data? 

According to Article 9(1) GDPR, these include: 

  • Racial or ethnic origin, 
  • Political opinions, 
  • Religious or philosophical beliefs, 
  • Trade union membership, 
  • Genetic and biometric data, 
  • Health data, 
  • Data concerning sex life or sexual orientation. 

Requirements for Explicit Consent 

Consent must be: 

  • Explicit and clearly worded, 
  • Specifically reference the processing of such data, 
  • Given through an unambiguous, active declaration. 

In practice, a separate, customized consent form tailored to these data categories is often used. 

Designing Effective Consent Declarations 

Consent is only valid if it is clear, understandable, and transparent. These requirements are directly derived from the GDPR. 

The language used should be simple. Technical jargon or complex legal phrases should be avoided. The data subject must immediately understand the purpose of the data processing. The declaration must not be hidden within general terms or other texts; it must be distinct and recognizable as a standalone declaration. 

Electronic and Written Consent 

For online consent: 

  • No pre-selected checkboxes, 
  • Users must actively opt in, 
  • Withdrawal options must be easily accessible. 

For written consent: 

  • A separate section at the end of a form is recommended, 
  • Should be signed independently. 

While there are numerous templates available, these must be tailored to individual circumstances. Every consent declaration should include: 

  • Who is processing the data, 
  • What data is being processed, 
  • The purpose of the processing, 
  • That the consent is voluntary and revocable. 

Using generic templates without customization risks invalidating the consent. 

Consent in relations to other Legal Bases 

Consent is one of several legal bases under the GDPR. It is equal in standing with: 

  • Contract fulfillment (Art. 6(1)(b) GDPR), 
  • Legal obligation (Art. 6(1)(c) GDPR), 
  • Legitimate interest (Art. 6(1)(f) GDPR). 

When Is Consent Necessary? 

Consent is only required if no other legal basis applies. Common scenarios include: 

  • Sending newsletters, 
  • Personalized advertising, 
  • Publishing photographs. 

If another legal basis is applicable—such as contract performance—consent should not be sought unnecessarily, as it may lead to avoidable revocations. 

Risks of Invalid Consent 

If consent is flawed or lacks adequate information, the entire data processing activity may be unlawful. This is particularly critical for sensitive data or marketing activities. It is essential to document the legal basis thoroughly. 

Conclusion 

Data protection consent is a core element of the GDPR and plays a vital role in safeguarding personal data. It reinforces the autonomy of data subjects and ensures transparency in data processing. 

For consent to be valid, it must meet several criteria: voluntariness, informedness, a clear affirmative action, and the ability to revoke it at any time. Proper documentation and a clear, understandable consent text are also crucial. 

Want to reduce liability and regulatory risks in data protection? // PRIMA offers expert-developed templates and guides that help ensure GDPR-compliant documentation. Try it free for 14 days and implement professional data protection today! 

Weitere Beiträge

Data Protection Consent 

Whether in an online store, a newsletter, or a customer survey—personal data is processed

Technical and organizational measures 

Technical and organizational measures under the GDPR are essential for protecting personal data. Today,

Implement the Barrierefreiheitsstärkungsgesetz (BFSG) easily now 

The Barrierefreiheitsstärkungsgesetz (BFSG) comes into force on June 28, 2025. The BFSG aims to

EU Data Act Bild

Data Act: ‘Networked products’ and‘Connected services’

Do you have ‘Networked products’ or ‘Connected services’? Use our checklists! The digital transformation

Safety in the Company: The importance of Employee Training 

Employee training is essential for ensuring safety, compliance, productivity, and sustainability within companies. In

Working Time Recording: Legal Requirements and Recommendations

The obligation to record employees’ working hours and the implementation of a data protection-compliant

Anschaffung von Software

Keep an Eye out when Buying (and Renting) Software: Your Software must meet these Requirements

The procurement of software is a critical step for businesses, as it directly impacts

Process Data Subject Requests Efficiently and GDPR-Compliant

Answer Data Subject Requests at the Touch of a Button

Process Data Subject Requests Efficiently and GDPR-Compliant

EU AI-Act: companies must act now!

The new AI Act and its significance The new EU AI Act came into

Linkedin Instagram Youtube

PLANIT // TECH GmbH

Jungfernstieg 1
20095 Hamburg
Germany

 

mail@planitprima.com
Tel: +49 (0) 40 609 44 190
Fax: +49 (0) 40 609 44 199

PLANIT // PRIMA

For lawyers
Online Trainings
Pricing

Data Protection Management Software
GDPR-Software
GDPR-Tool
Cooperations
Downloads

AI-Act

 

Start for free now
©PLANIT // TECH GmbH 2024 | | Terms of Use | Privacy Policy | Imprint

©PLANIT // TECH GmbH 2024