When consent is required to process personal data, for that consent to be valid the following conditions must be met:
- it must be freely given;
- it must be informed;
- it must be given for a specific purpose;
- all the reasons for the processing must be clearly stated;
- it is explicit and given via a positive act (for example an electronic tick-box that the individual has to explicitly check online or a signature on a form);
- it uses clear and plain language and is clearly visible;
- it is possible to withdraw consent and that fact is explained (for example an unsubscribe link at the end of an electronic newsletter email).
For consent to be freely given the individual must have a free choice and must be able to refuse or withdraw consent without being at a disadvantage. Consent isn’t freely given if, for example, there is a clear imbalance between the individual and the business/organisation (for example employer/employee relationship) or when a business/organisation requires individuals to consent to the processing of unnecessary personal data as a pre-condition to fulfil a contract or service.
For consent to be informed, the individual must receive at least the following information:
- the identity of the organisation processing data;
- the purposes for which the data is being processed;
- the type of data that will be processed;
- the possibility to withdraw the given consent (for example, an unsubscribe link at the end of an email)
- where applicable the fact that the data will be used for solely automated-based decision-making, including profiling;
- if the consent is related to an international transfer, the possible risks of data transfers to third countries which are not subject of a Commission adequacy decision and where there are no appropriate safeguards.
Remember: where someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given.
You're an airline company and your Privacy Notice indicates that the personal data of customers can be processed for a competition organised by your company offering a free flight as a prize. The customers who ticked the box in agreeing to participate in the competition have clearly signalled their wish to have their personal data processed for the purpose of the competition. There is consent to process data for the purpose of the competition but not for other purposes.
Consent not free
Your company/organisation offers online movie services. When collecting the data needed for this contract you also ask for additional data, such as the sexual orientation or the political beliefs of a person. That person may believe that their consent for the processing of this type of data is necessary to access to the movies they request. The consent in this case isn’t free consent, it is a ‘tied consent’.
- Articles 4(11) and 7 and Recitals 32, 42, 43 of the GDPR
- Article 29 Working Party Opinion on consent adopted on 28 November 2017