Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

Data Protection & Cyber Security

Russia Small Flag Russia

Under Personal Data Law, PII can only be processed based on appropriate legal ground. In practice, data subject’s consent is the most widespread legal ground.

Consent shall be fully informed, precise (informative) and freely given. It shall be opt-in consent - concept of opt-out consent does not work in Russia. The data subject may revoke consent at any time. In such a case, the data controller is obliged to terminate processing unless there are other legal grounds for its continuing.

In certain cases, Russian laws require data subject’s written consent. E.g., in case of data transfer to ‘inadequate’ jurisdictions; inclusion of PII to publicly available sources of information (e.g. address books, corporate networks in the intranet, etc.); processing of sensitive or biometric PII; transfer of employees’ PII to third parties (including, affiliates of the employing entity); collection of the employees’ PII from third parties (i.e. not requesting data directly from the employees).

Written consent must be executed in hard copy with data subject’s wet signature and contain certain details prescribed by legislation, namely:

  • data subject’s name, address and passport details;
  • name, address, and passport details of data subject’s representative, details of a documents confirming representative’s authorization (where consent is given by such individual);
  • name and address of the data controller;
  • purpose of PII processing;
  • categories of PII to be processed;
  • name and address of the data processors;
  • operations on PII (collection, recording, systematization etc.) and general description of data processing methods (automated, manual, mixed);
  • term of consent and procedure of its withdrawal.
  • Such consent may be signed by digital signature. However, such signature should be so-called reinforced qualified signature (a signature based on encryption solution and provided by state authorized accreditation center) which makes this option impractical for majority of companies.

Under current enforcement practice there should be consent covering only one purpose of the data processing. One consent template covering several purposes will not be compliant.

Argentina Small Flag Argentina

The general principle under the Data Protection Law is that any processing of personal data (including any disclosure, collection, storage, assignment, amendment and destruction of data) must be specifically consented to by the data subject.

Such consent must be prior, given freely, based upon the information previously provided to the data subject (informed) and expressed in writing or by equivalent means, depending on the circumstances of the case. The data subject may revoke the consent at any time, but with no retroactive effect.

Nonetheless, informed consent of the data subject is not necessary, among others, when:

  • The data is collected by the government pursuant to its legal authority or in its capacity as such.
  • The data is limited to name, identification number, tax or social security identification numbers, occupation, date of birth, and domicile.
  • The data derives from a contractual, scientific, or professional relationship with the data subject, provided that such data is necessary for the development and compliance with such relationship.

Brazil Small Flag Brazil

Besides the comments we have already made herein above, consent is one of the legal bases provided in the LGPD to process personal data and has specific rules to its use. Additionally, consent is required to process child and adolescent data as well. Although there is no specific format provided for in the applicable legislation, it must be acquired in advance, in a free, informed and unequivocal way, and shall refer to specific purposes. If consent is provided in writing, the contractual clause must appear highlighted from the other contractual clauses.

Bulgaria Small Flag Bulgaria

The PDPA introduces certain instances in which the consent is required:

  • According to Article 25k PDPA consent is required in the context of personnel recruitment in cases where the employer wishes to store, and process submitted job applications for a period longer than 6 months as from the end of the respective current recruitment procedure (for instance, for the purposes of future recruitment procedures).
  • Pursuant to Article 25c PDPA the consent of a parent or guardian exercising parental rights must be obtained whenever personal data of a minor under the age of 14 is processed on the basis of consent. This requirement applies not only in the context of information society services, but to any form of processing of such data based on consent.

In any case data subject’s consent must be:

  • Freely given,meaning the data subject has a genuine or free choice and is able to refuse or withdraw consent without detriment
  • Specific, meaning that consent should cover all processing activities carried out for the same purpose or purposes, but when the processing has multiple purposes, consent should be given for each of them
  • Informed, meaning the data subject should be informed on the controller’s identity and the purposes of the processing
  • Unambiguous.

The consent could be withdrawn at any time and in such case the controller must stop the processing of personal data.
Consent may be provided by:

  • A written or oral statement
  • Electronic means, such as ticking a box when visiting a website or choosing technical settings for information society services, so long as the request is clear, concise, and not unnecessarily disruptive to the use of the service for which it is provided.
  • Another statement or conduct that clearly indicates the data subject’s acceptance of the proposed processing. Silence, pre-ticked boxes, or inactivity does not constitute valid consent. (Article 7 and Recitals 32 and 42 GDPR).

Switzerland Small Flag Switzerland

The processing of “normal” personal data does generally not need to be justified by a consent. Only if provisions of the FADP, in particular the general data protection principles (and most prominently the transparency principle as well as the principle of purpose limitation), were infringed, consent would be required. However, consent is pursuant to art. 13 FADP only one justification option. The other justifications are statutory obligations or an overriding interest of the public or the controller.

Consents are most likely thought after in connection with data processing for marketing purposes, such as e-mail marketing and profiling. However, in connection with e-mail marketing, the consent duty rather stems from art. 3 para. 1 lit. o Unfair Competition Act (see later in question 25).

The requirements for obtaining consents are set out in art. 4 para. 5 FADP (see above Question 4). It is important to mention that consent may also be provided implicitly. As the burden of proof for obtaining a sufficient consent is on the controller, it is, however, recommended that data subjects be asked for an explicit consent and that the consent is documented. Swiss law does not ask for an explicit manner of documentation. At the end, the controller must prove who consented when to what kind of data processing. It is therefore important not only to prove who consented to what kind of data processing, but it is also important to keep the information that was provided to the data subject at the time of the consent.

Spain Small Flag Spain

Consent is one of the legitimate grounds for data processing established in article 6 GDPR, so the Controller will only be able to process data on the basis of the consent of the data subject when this is the most appropriate ground for a particular data processing activity.

The requirements for a valid consent are established in article 7 GDPR, which are the same in Spanish privacy legislation: it should be demonstrable by the Controller, and it must be freely given by the data subject, specific, informed, unambiguous and, when consent is given for a plurality of purposes, it must be specifically and unequivocally stated for all of them. Moreover, the recital 32 of the GDPR states that consent should be given by a clear affirmative act, so tacit consent is excluded.

Chile Small Flag Chile

The Data Privacy Act states any individual can process personal data, if the following requirements are met:

(a) The processing of personal data shall be authorized by one of the three following:

(i) the Data Privacy Act;
(ii) another legal provision; or
(iii) the subject or holder of the personal data specifically consents thereto.

The consent/authorization granted by the holder/subject of the personal data regarding to the processing of his/her data shall comply with the following requirements in order to be effective:

  • it shall be accurately informed about the purpose of the storage of the personal data and if those data will be communicated or not to the public
  • the consent shall be specified; in writing; and
  • the personal data must be used only for the purposes for which it has been collected, unless it comes or has been collected from public sources. Even though, the data shall be accurate, updated and respond truthfully to the actual circumstances of the holder of the personal data.

In addition:

(b) The rights granted by the Data Privacy Act shall be respected and fulfilled;

(c) The purpose of the collecting and processing shall be allowing by law.

China Small Flag China

Overall, a noticeable difference from GDPR is that the legal basis under the CSL is entirely consent-based. The CSL requires the network operator to expressly notify and obtain consent of the users if the products or services collect user information and comply with relevant laws and regulations governing personal information protection if personal information of users are involved.8 With a few exceptions listed in the PI specification, a network operator is required to inform the personal information subject of the purposes, means and scope of the collection and use of his or her personal information, and consent must be obtained prior to such collection.9 Any processing of personal information thereafter must be carried out within the scope of the consent. A renewed consent is required when the processing exceeds the original scope of consent.

8 - CSL. §22.
9 - PI Specification. 5.3 (a).

Germany Small Flag Germany

Consent creates a legal basis for the processing of personal data according to Art. 6 (1) 1 a) GDPR. Typical cases where a consent is used are newsletter mailings, customer profiling, use of location data, use of employee images for the employer’s website and the processing of data concerning health.

In most cases a data subject’s consent will be sought as a legal basis for the processing of personal data only where other grounds cannot be applied. This is because an effective consent has to meet very high requirements. Consent is defined in Art. 4 (11) GDPR as a ‘freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. .

In order to obtain freely given consent, it must be given on a voluntary basis. The element ‘free’ implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. Additionally, the conclusion of a contract must not depend on a data subject’s consent in processing personal data, if the data is not necessary for the fulfillment of the contract. This kind of coupling services or products with data processing consents is prohibited.

To meet the requirements of a specific and informed indication, certain information has to be disclosed to the data subject prior to the consent affirming action. These are the controller’s identity, the kind of data that will be processed, how it will be used and the purpose of the processing operations. The purposes of the processing operations must be sufficiently specified. Also, the data subject must be informed about its right to withdraw a given consent at any time.

For the consent to be unambiguous it needs to be made in the form of a statement by the data subject or a clear affirmative action. The consent cannot be merely implied and any room for misinterpretation will be at the controller’s expense. However, there is no particular form required. The most widespread form of consent in an online setting is certainly the opt-in. To further illustrate the requirement of unambiguity: an opt-out function would not be considered an affirmative action and thus no effective consent.

Controllers must document the given consent. Consumers should be offered a clear mechanism for opting out again and it should be as easy to withdraw as to give consent.

India Small Flag India

Privacy Rules

The Privacy Rules require consent of the Data Subjects for collection of sensitive PII. No format has been prescribed. No consent is required for collection of PII.

In India, it is standard practice for companies to obtain a general consent that covers business requirements for sensitive PII and PII. This is achieved through privacy policies, written contracts, or click – wrap 'I agree' buttons.

Privacy Bill

The Privacy Bill proposes that: -

(a) Consent needs to be taken for processing of PD. Such consent should be taken no later than at the time of commencement of processing.

(b) 'Explicit consent' needs to be taken for processing of SPD.24

It is expected that the Authority will issue codes / formats for processing of PD and SPD.25

24 - The Privacy Bill provides parameters for when consent will be considered explicit consent, such as, consent should be informed (taking into account that the Data Subjects are made aware that the processing may have significant consequence for the Data Subjects), clear (taking into account that the consent is meaningful and without inference from conduct), and specific (taking into account whether the Data Subjects are given the choice to separately consent to use of different categories of SPD relevant to processing).

25 - While the Privacy Bill does not prescribe the form in which consent and explicit consent may be obtained, once the Authority is set up, it may prescribe guidance in this area.

Indonesia Small Flag Indonesia

As discussed above, the general principle of consent is the key principle of Personal Data processing under MCI Regulation 20/2016. Consequently, consent from the Data Subject will always be required, except in certain events as stipulated in the laws and regulations.

With regard to the consent form, MCI Regulation 20/2016 requires ESO to provide a consent form with Indonesian language in obtaining approval from the relevant Data Subject. However, the regulation is silent on the formatting requirements of the consent form.

Portugal Small Flag Portugal

Processing of sensitive PII, as defined above, is prohibited except in the cases foreseen in article 9.2 and 9.3 of the GDPR:

a) The data subject has given explicit consent for that specific purpose;

b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

e) Processing relates to personal data which are manifestly made public by the data subject;

f) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

g) Processing is necessary for reasons of substantial public interest;

h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professional;

i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;

j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical.The Portuguese Data Protection Law may introduce further conditions or restrictions regarding the processing of genetic data, biometric data or data concerning health.

In what concerns PII relating to criminal convictions and offences or related security measures the lawful basis for their processing shall be the law of the Members States (ex.: criminal record, disciplinary sanctions).

In both cases, considering the nature of the PII and the risks for the data subjects, increasing attention should be paid, for example, by ensuring appropriate safeguards for the rights and freedoms of the data subjects and implementing security measures adequate to protect such PII against unauthorised or unlawful processing, accidental loss, destruction or damage.

United Kingdom Small Flag United Kingdom

Consent is one of the lawful bases that controllers can rely on to process personal data. It tends to be used where no other lawful basis can be relied upon as it can be difficult to achieve consent and it can be withdrawn by the individual. It is used when required by law for example for direct marketing by email or text (unless the soft opt in applies).

In order for consent to be valid, it must meet the requirements. Consent is defined as:

'any freely given, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.

Consent can be given electronically, in writing or orally. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement/conduct clearly indicating acceptance of the proposed processing. In each case some affirmative action should be given. Silence, pre-ticked boxes or inactivity do not constitute consent.

When special categories of data are being processed consent also needs to be explicit.

For consent to be informed the data subject must be notified at least of the controller's identity and the purposes of processing. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, separate consent should be given for all of the purposes and should be clearly distinguishable.

The data subject will have, and must be informed of the right to withdraw his/her consent at any time. This will not affect the lawfulness of the processing preceding the withdrawal.

Consent may not be considered to be "freely given" if:

  • performance of the contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract;
  • there is a clear imbalance between the data subject and the controller (eg in an employment relationship); or
  • the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Records of consents obtained should be kept to demonstrate compliance with the principles.

Sweden Small Flag Sweden

Neither the GDPR, the Personal Data Act nor the Personal Data Ordinance require a controller to use consent in connection with the general processing of personal data.

It is worth mentioning that many avoid using consent as the lawful base because:

  • the GDPR’s stringent consent requirements (the term “consent” is defined in article 4 of the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”); and
  • the data subject has the right to withdraw his or her consent at any time (article 7(3) of the GDPR).

Chapter 6 paragraph 18 of the Cookie Act on the other hand stipulates that a website with cookies must obtain consent from its visitors to the cookies being used, unless the cookie is necessary to transmit an electronic message via an electronic communications network or to provide a service explicitly requested by visitor. The consent requirements should correspond to the consent requirements in the GDPR (see above). However, in reality, consent is usually obtained through the visitor’s browser settings.

See also question 7 regarding age of consent and question 24 regarding profiling.

Greece Small Flag Greece

According to the GDPR, consent is required in the following cases:

A) When there is processing of special categories of personal data. In such a case, consent is used as one of the legal bases that justifies the processing of the aforementioned categories of personal data.

B) When there is transfer of personal data to a non-EU country for which there is no adequacy decision under article 45 (3) or appropriate safeguards under article 46, including Binding Corporate Rules (hereinafter, “BCRs”). In such a case, consent is used as one of the appropriate legal bases of data transfer.

Moreover, an indicative example where consent is required is Law 3471/2006 which prohibits unwanted communication with the data subject by electronic means, without human intervention, for purposes of direct marketing of products or services or for any other advertising purposes, unless the data subject has given his/her consent to this respect.

Another indicative example where consent is required is the example of potential borrowers, who have to give their consent to the bank in order for the latter to have access to the ‘’white list’’ of the data system ‘’Tiresias’’, including loans, credit cards etc.

Consent can be provided in a hard copy or electronic version.

With regards to the content of the consent and the minimum requirements that must be met in order for it to be ‘’informed’’, Working Party 29 (hereinafter, “WP 29”) supports that it is necessary to inform the data subject about certain elements that are crucial to make a choice. Therefore, the minimum information required for obtaining a valid consent is the following:

(i) the controller’s identity,
(ii) the purpose of each of the processing operations for which consent is sought,
(iii) what (type of) data will be collected and used,
(iv) the existence of the right to withdraw consent,
(v) information about the use of the data for automated decision-making in accordance with article 22 (2)(c)34 where relevant, and
(vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in article 46.

Regarding other information about the processing of personal data, reference can be made to the data controller’s Privacy Notice.

Finally, the data controller shall record, in a secure manner, the information necessary to demonstrate the consent of the data subject. At the same time, in case of electronic consent for sending emails, the controller shall follow specific procedures to confirm the subject's consent, such as the consent procedure with additional information and the double opt-in, as detailed below.

Furthermore, the right of a data subject to opt-out from unsolicited calls with human intervention is safeguarded, provided that the subscriber has notified the respective provider with his intention not to receive such calls. Provided that such notification has not taken place, providers can make unsolicited calls with human intervention, however the right to object is always possible during any received call.

Turkey Small Flag Turkey

Processing of special categories of data (including data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade-unions, criminal conviction and security measures, as well as biometric and genetic data) can only be processed without the explicit consent of the data subject if such a processing is provided by laws. Data relating to health of sexual life of data subjects can only be processed without the explicit consent of the data subject if it is processed by any person or authorized public institutions and organizations that have confidentiality obligation and for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

Explicit consent is construed as “freely given, specific and informed consent” under the Law No.6698. To illustrate, explicit consent must not be obtained as a condition for the provision of a service, must be limited to the relevant act of processing and have been given unambiguously by the data subject acting in a way which leaves no doubt that the data subject agrees to the processing of his or her data.

Austria Small Flag Austria

In so far as data processing cannot be based on another provision of art. 6 GDPR, the consent of the person concerned is required. However, this depends on the circumstances of the individual matter. It is therefore not always necessary for the data subjects to give their consent in order to carry out data processing.

For any consent to be effective, substantial requirements must be met. Consent is a voluntary, informed and unequivocal expression of will, given for the specific matter. The consent can be revoked by the person concerned at any time. The person concerned must be informed of this possibility of revocation before consent is given. The consent itself is not bound to any particular form. Since the controller is required to prove the existence of any consent, it is advisable to ensure appropriate documentation.

France Small Flag France

Consent is one of the lawful bases that controllers can rely on to process personal data. It tends to be used where no other lawful basis can be relied upon as it can be difficult to achieve consent and it can be withdrawn by the individual.

It must also sometimes be used when required by law for example for direct marketing by email or text (unless the soft opt in applies).

In order for consent to be valid, it must meet high requirements. Consent is defined as:

'any freely given, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her' (GDPR, Article 4(11)).

Consent can be given electronically, in writing or orally. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement/conduct clearly indicating acceptance of the proposed processing. In each case some affirmative action should be given. Silence, pre-ticked boxes or inactivity do not constitute consent.

When special categories of data are being processed consent also needs to be explicit.

For consent to be informed the data subject must be notified at least of the controller's identity and the purposes of processing. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, separate consent should be given for all of the purposes and should be clearly distinguishable.

The data subject will have, and must be informed of the right to withdraw his/her consent at any time. This will not affect the lawfulness of the processing preceding the withdrawal.

Consent may not be considered to be "freely given" if:

  • performance of the contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract;
  • there is a clear imbalance between the data subject and the controller (e.g. in an employment relationship); or
  • the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
  • Records of consents obtained should be kept to demonstrate compliance with the principles.

United States Small Flag United States

There is no single federal law in the U.S. that sets out general requirements for when and how to obtain consent from data subjects. Instead, consent requirements are regulated by various individual sector-specific laws. In particular, in the U.S., certain types of information require opt-in consent. These include health information, credit reports, financial information, student data, personal information collected online from children, biometric data, video viewing choices, certain uses of phone numbers, and geolocation data. Certain other uses of personal information are subject to opt-out consent (e.g., email marketing, or soon in California the “sale” of PI), and the rest are generally not subject to any consent requirement at all.

The U.S. regulates the type of consent an entity must obtain prior to communicating with an individual directly via email, phone, text or fax. Specifically, under the Telephone Consumer Protection Act (TCPA), in many circumstances consent must be obtained from the recipient of a call or text before a call is placed or a text is sent, particularly in the context of marketing. Whether and what kind of consent must be obtained (for example, none vs. “prior express consent” vs. “prior express written consent”) depend on the type of call (emergency, sales/marketing, transactional/informational); the type of calling technology used (manual dial, autodialer, prerecorded voice); the type of phone called (residential landline, cell phone); the type of caller (for-profit, nonprofit, state/local government, federal government); and the type of recipient of the call (business-to-consumer vs. business-to-business).

With regard to biometric data, certain states require specific kinds of consent before collection. In particular, the Illinois Biometric Information Privacy Act (BIPA) requires that written consent be obtained before collecting a biometric identifier.

In addition, under the FTC Act, companies generally need to obtain opt-in consent prior to using, disclosing or otherwise treating PII in a manner that is materially different from what was disclosed in the privacy policy applicable when the PII or PI was collected.

Malaysia Small Flag Malaysia

A data user shall not process the personal data unless the consent of the data subject has been given pursuant to Section 6(1)(a) of the PDPA 2010. According to the Personal Data Protection Regulations 2013, the burden of proof for such consent shall lie on the data user (Regulation (5)). Section 6(2) of the PDPA provides that a data user may process personal data without consent if the processing is necessary -:

(i) For The performance of a contract to which the data subject is a party; or

(ii) In order to take steps at the request of the data subject prior to entering into a contract;

(iii) In order to comply with a legal obligation (other than that imposed by contract); or

(iv) To protect the vital interests of the data subject;

(v) For the administration of justice; or

(vi) For the performance of a function conferred on by or under other laws

Pursuant to Section 6(3) of the PDPA, personal data shall not be processed unless:-

(i) The personal data is processed for a lawful purpose directly related to an activity of the data user;

(ii) the processing of the personal data is necessary for or directly related to that purpose; and

(iii) the personal data is adequate but not excessive in relation to that purpose.

The data subject has to be aware amongst other things, the types, the purposes for which the personal data is collected, the source of the personal data, the rights of the data subject and how to exercise the said rights as well as the class of third parties to whom the data user discloses or may disclose the personal data. The PDPA does not specify the level or form of consent that must be obtained. Regulation 3(1) of the Personal Data Protection Regulations 2013 does however stipulate that the consent shall be obtained from the data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user. This would mean that consent may vary not only from case to case but also between implied and explicit insofar as processing of sensitive personal data is concerned.

Hence, the key test will be the ability to demonstrate that consent exists or being given by the data subject. In this context, it is important for data users to ensure that a data subject is fully aware of and understands the purposes for which his/her data are being processed. Consent can be understood to have been given when individuals do not object and instead volunteer their personal data after the purposes of processing are clearly explained.

A clear explanation by trained staff of the data user is therefore necessary to prove that consent has been obtained from the data subject after him/her being explained the purposes of processing his/her data.

Gibraltar Small Flag Gibraltar

Consent is one of the lawful bases for processing PII: it is defined as any “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (Article 4(11), GDPR).

Ireland Small Flag Ireland

Consent is one of the lawful bases that controllers can rely on to process personal data. It tends to be used where no other lawful basis can be relied upon as it can be difficult to achieve consent and it can be withdrawn by the data subject. It is used when required by law for example for direct marketing by email or text (unless the soft opt-in applies).

In order for consent to be valid, it must meet certain requirements. Consent is defined as:

'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'.

Consent can be given electronically, in writing or orally. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement/conduct clearly indicating acceptance of the proposed processing. In each case some affirmative action should be given. Silence, pre-ticked boxes or inactivity do not constitute valid consent.

When special categories of data are being processed, there is also an additional requirement that the consent needs to be 'explicit'.

For consent to be informed, the data subject must be notified at least of the controller's identity and the purposes of processing. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, separate consents should be given for each of the purposes and should be clearly distinguishable.

The data subject will have, and must be informed of, the right to withdraw consent (in an easy way) at any time. This will not affect the lawfulness of the processing preceding the withdrawal.

Consent may not be considered to be "freely given" if:

  • performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of the contract;
  • there is a clear imbalance between the data subject and the controller (eg in an employment relationship); or
  • the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Records of consents obtained should be kept to demonstrate compliance with the principles.

Updated: June 17, 2019