Consent as a Legal Basis
When consent under Art. 7 GDPR is valid and what controllers need to observe when obtaining, documenting, and managing consent.
Consent is one of the six legal bases on which controllers may rely when processing personal data. Article 6(1)(a) GDPR permits processing where the data subject has given consent to the processing of their personal data for one or more specific purposes. Article 7 GDPR sets out the detailed conditions that must be met for consent to be valid.
When Is Consent Valid?
Valid consent must satisfy four core requirements: it must be freely given, specific, informed, and unambiguous. Freely given means that the data subject must have a genuine choice and be able to refuse or withdraw consent without detriment. Where consent is made a precondition for the performance of a contract, even though it is not necessary for that contract, the freely given requirement will generally not be met (the 'bundling prohibition').
The specificity requirement demands that the purpose of processing be described clearly and concretely. Blanket consents covering an unlimited number of processing purposes are invalid. As a general rule, separate consent must be obtained for each distinct processing purpose, unless the various purposes are closely linked.
The data subject must be informed before giving consent. The controller's comprehensive duty to provide information under Articles 13 and 14 GDPR must be fulfilled before informed consent can be obtained. Recital 32 to the GDPR clarifies that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication — for example, by ticking a box when visiting an internet website, choosing technical settings, or by any other statement or conduct.
Withdrawal of Consent
The right to withdraw consent at any time is a fundamental aspect of the consent framework. Pursuant to Article 7(3) GDPR, withdrawing consent must be as easy as giving it. Processing carried out before withdrawal remains lawful; the withdrawal takes effect only prospectively.
Documentation Requirements
Of central practical importance is the reversal of the burden of proof in Article 7(1) GDPR: the controller must be able to demonstrate that the data subject has consented. This creates an obligation to document each consent carefully, including the timestamp, the text used, and the manner in which consent was obtained.
Special requirements apply to children's consent under Article 8 GDPR. For information society services offered directly to children, consent must be given or authorised by a holder of parental responsibility where the child is below a specified age (16 years in Germany). Controllers are required to make reasonable efforts to verify age, taking into account available technology.