Updated guidance on GDPR consent

Updated guidance on GDPR consent

What guidance do we have on the issue of consent under the GDPR?

The Article 29 Working Party has published guidance in relation to consent under the new General Data Protection Regulation (GDPR). This article summarises the main points which come out of this.

The starting point when considering data processing is to remember that consent is still one of the lawful bases for processing personal data under the GDPR, but there are 6 other lawful bases’ which may be relied on. If you rely on consent as the legal basis for processing personal data, you must also comply with the principles of processing relating to fairness and proportionality, for example. These principles are not looked at further by the guidance.

What is consent and how should it be sought?

Consent is defined under the GDPR as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’

Freely given

Consent must be freely given, which means that there must be a genuine choice for the data subject to say yes or no to the processing. Consent is unlikely to be valid if saying no would have negative consequences for the data subject.

Given that there is likely to be an imbalance of power in the working environment, it is unlikely that consent as a lawful basis for processing will be appropriate in the majority of employment contexts. However, there may be exceptional circumstances. The question to ask is whether the employee is really able to freely give their consent.

Special caution is needed when a contract has a request for consent to process personal data tied to it, for example as may be included in an employment contract.

If multiple processing operations are to happen for more than one purpose, the data subject should be free to choose which purpose they accept.

Specific consent

Consent must be given to one or more specific purposes and a choice must be available to consent to each of them. Before this is sought, a specific, explicit and legitimate purpose for the intended processing must be determined.

In order then for consent to be specific, the data subject must be specifically informed of the intended purposes of the data use. If the data is to be used for a new purpose, the process of getting consent must be done again.


As touched on above, the data subject must give informed consent. Therefore the controller must provide the data subject with accessible information prior to gaining consent.

The guidance states that such information should at least include the identity of the controller, the purpose of each of the processing operations for which consent is sought, what type of data will be collected and used, the existence of the right to withdraw consent, information about the use of the data for decisions based solely on automated processing and, if appropriate, information on the possible risks of data transfers to third countries.

Clear and plain language should be used taking into account the intended recipient.

Unambiguous intention of wishes

Consent requires a statement or clear affirmative action from the data subject. The use of pre-ticked opt in boxes is invalid, as will be relying on the data subject’s silence.

Explicit Consent

Special categories of data as specified in the GDPR, data transferred to third countries or international organisations in the absence of adequate safeguards or cases of automated decision making will require explicit consent, i.e. an express statement of consent.

Additional Requirements

The GDPR contains specific provisions on keeping records of consent and the data subject’s right to withdraw consent. It is suggested good practice to refresh consent at appropriate intervals and keep appropriate records of this.

The controller must ensure consent can be withdrawn by the data subject as easily as the consent was given and at any time and without detriment. The controller must inform the data subject of the right to withdraw consent prior to actually giving consent and how to exercise this right.

The GDPR contains specific requirements for processing data of children using online services and also for the purpose of scientific research.

If you are offering information society services to children, you should check whether parental consent is needed. This is likely to vary from country to country and specific advice should be sought for those advertising internationally.