The consent must be bound to one or several specified purposes which must then be sufficiently explained.
Where relevant, the controller also has to inform about the use of the data for automated decision-making, the possible risks of data transfers due to absence of an adequacy decision or other appropriate safeguards. The withdrawal must be as easy as giving consent. The data subject must also be informed about his or her right to withdraw consent anytime. Thus, the performance of a contract may not be made dependent upon the consent to process further personal data, which is not needed for the performance of that contract.įor consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. In addition, a so-called “coupling prohibition” or “prohibition of coupling or tying” applies. For example, in an employer-employee relationship: The employee may worry that his refusal to consent may have severe negative consequences on his employment relationship, thus consent can only be a lawful basis for processing in a few exceptional circumstances. In doing so, the legal text takes a certain imbalance between the controller and the data subject into consideration. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. The element “free” implies a real choice by the data subject. In order to obtain freely given consent, it must be given on a voluntary basis. Consent must be freely given, specific, informed and unambiguous. The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR.
The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.