Skip to main content
Datenschutz / DSGVO

Consent

A freely given, specific, informed, and unambiguous indication of a data subject's wishes, as required by Art. 7 GDPR.

Consent is one of the six lawful bases for processing personal data under Art. 6(1)(a) GDPR. For consent to be valid, it must be freely given, specific, informed, and unambiguous. "Unambiguous" means that an active act by the data subject is required — pre-ticked boxes or silence do not constitute valid consent. For special categories of personal data under Art. 9 GDPR, consent must be explicit.

Freely given is a particularly critical element: where there is a clear imbalance of power between the data subject and the controller — for example in an employment relationship — consent is generally not considered to have been freely given. Data subjects must also be able to withdraw their consent at any time without suffering any detriment, and withdrawal must be as easy as giving consent. Under Art. 7(1) GDPR, the controller must be able to demonstrate that the data subject has consented.

In practice, consent should not be used as a default legal basis when another basis — such as the performance of a contract under Art. 6(1)(b) or a legitimate interest under Art. 6(1)(f) GDPR — is more appropriate. Consent that is obtained improperly or carelessly can render the entire processing unlawful. Compliance officers must therefore ensure that all consents are documented, including the time, content, and method of consent, and that records are maintained in a way that withstands regulatory scrutiny.

Legal Basis

Art. 7 GDPR

Practical Example

Your organisation runs a newsletter and wants to start sending subscribers personalised product recommendations based on their purchase history. As compliance officer, you assess whether the existing newsletter consent covers this purpose. You find that the original consent only covered general newsletter content, not profiling-based personalisation. You recommend obtaining a new, specific consent that clearly describes the profiling purpose and informs subscribers of their right to withdraw. A double opt-in process ensures that consent is demonstrable and freely given.

FAQ

Valid consent must be freely given, specific, informed, and unambiguous. It requires an active act by the data subject — silence or pre-ticked boxes are insufficient. The controller must also be able to document and demonstrate that consent was given.
Yes, consent can be withdrawn at any time without giving reasons. Withdrawal must be as easy as giving consent. After withdrawal, further processing on the basis of that consent is unlawful — but processing already carried out before withdrawal remains lawful.
Only in limited circumstances. Due to the power imbalance between employer and employee, consent in the employment context is scrutinised carefully. Consent is valid only if the employee receives a genuine benefit or faces no disadvantage for refusing. When in doubt, other legal bases should be used.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Personal Data Data Subject Rights Accountability Data Protection Compliance Data Breach
Back to Glossary