What are the consent requirements of GDPR?
According to Article 4 of the GDPR, consent is defined as “of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Valid and invalid consent
Article 7 states that to gain valid consent:
- the data controller (i.e. the person who is making decisions about how and why data should be processed) must have a record of the consent for personal data to be used
- information regarding written consent should be distinct and clear from other matters
- data subjects should be told they have the right to withdraw their consent - “It shall be as easy to withdraw as to give consent”
- it must be clear that consent is freely given if a contract is conditional on that consent
‘Freely given’ in this context means that consent is given based on a genuine choice. If it can be shown that consent is given, but the data subject effectively had no choice but to agree to the use of their personal data, this would not be considered valid consent.
Consent may also be deemed invalid if:
- it is unclear if a data subject gave consent
- the data subject was not aware they gave consent
- there are no records showing a data subject gave consent
- consent was required as a precondition of a service, but the processing is not necessary for that service;
‘Specific and informed’ consent
The GDPR also refers to the concept of ‘specific and informed’ consent. This means that the data subject has the right to:
- Know the identity of the person making decisions about the use of their information (i.e. the data controller and any third party controllers who will rely on the consent given), and;
- Consent to different reasons for collecting the data – this means that if the organisation collecting data is using it for several reasons, consent must be given for each reason.
You can get legal assistance from LawBite
Whenever you collect and use identifiable personal data about customers (like name, email, address and preferences) you need to stay compliant with the law.