GDPR consent definition
When someone give you permission to process their personal data for a specific purpose, it is called consent. Under GDPR, consent can be a valid legal basis for processing personal data. GDPR defines valid consent as freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data.
Do you always need consent?
Do you always need consent to collect personal data? The short answer is: No, you do not. In fact, in many cases, you may already have another legal basis for collecting personal data. However, there will be times getting consent is the best and even the only way to collect data legally. For example, when asking for an email address to send newsletters or targeted marketing to your customers.
First, let’s briefly discuss your options for legal bases to collect data. Then, we’ll talk about some pros and cons of choosing consent as your legal basis for collecting data. Finally, we’ll see how to get consent properly.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Consent as legal basis
Here are the 6 acceptable legal bases (or lawful grounds) for processing personal data, according to GDPR Article 9(2), with a brief comment on when each may apply:
- Consent: Ask for explicit permission when none of the following legal bases apply.
- Contracts: An agreement with the person to provide goods, services or employment.
- Legal obligations: In some cases, the law may oblige you to process personal data.
- The person’s vital interests: To protect their life or safety, perhaps in an emrgency.
- Public interest: Most commonly, this basis would be used by government agencies.
- Legitimate interests: A good reason to process someone’s data that the person would reasonably expect and that has a minimal impact on their privacy.
You must choose at least one valid legal basis to process personal data. You could also choose more than one, if they apply. Whether you choose just one or multiple bases, you should document your choice in your policies and stick with it. You cannot change your legal basis later.
Should you choose explicit consent as your legal basis? Remember that no one legal basis is better, safer, or more important than the others. First, consider your purpose and your business relationship with the person you need data from. Then, choose the basis that is most appropriate.
Note that if you want to collect sensitive/special category data or criminal conviction data you need to identify both a lawful basis for general processing and an additional condition. In that case, adding consent in addition to the contract or legitimate interest you already have could be a good idea.
Example of a sensitive data processing consent
A person with a health condition gets a massage at spa. The spa needs to collect some additional health information to safely provide the service. Health data counts as sensitive/special category data. Therefore, the spa needs both a lawful basis and a condition to collect it.
Since they need the health data to provide the service, the spa can consider their contract as a lawful basis to collect data. However, they could also get explicit consent as the additional condition, since the data is sensitive.
Pros and cons of getting consent
Getting explicit consent has its advantages in certain situations. In fact, it can potentially allow you to do just about anything with any type of data. For example, it can allow you to collect very personal data, use data for marketing, automated decision-making, overseas transfers, even without adequate safeguards, and more. Just make sure you explain clearly what you are going to do with the data.
This makes consent a great option when you do not have another legal basis for collecting the data. Asking people for consent can also show people they have control over how you use their data. It also gives them the ability to change their mind and withdraw consent. Choosing to get consent directly can make people feel more engaged with your company and encourage them to trust you with their data.
However, getting consent is not always the best option. If someone does withdraw their consent later, you will have to stop processing their data. You cannot switch your legal basis to keep using the data.
For example, suppose you had a valid legitimate interest to collect data from the start, but you chose to get consent. By doing so, you gave the person the impression they had a genuine choice and ongoing control over how you use their data. For that reason, you will have to stop using their data when they ask you to, in spite of your legitimate interest.
Therefore, consider alternatives like legitimate interest first, before relying solely on consent to process personal data. If consent is still the best option, make sure you obtain it properly and document it.
Do this before using consent to collect data
Before getting consent, check if another obvious legal basis applies. This should be easy to decide after reviewing your purpose for collecting data:
- Review your purposes for processing the data.
- Double-check that processing the data is necessary for that purpose.
- Decide whether you will use consent or another lawful basis (or bases) that apply.
- Check your privacy notice to make sure it includes all the above info.
- If you are collecting sensitive/special category data or criminal offense data, identify an additional condition and document it.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
GDPR consent requirements
There are 5 principles of obtaining consent under GDPR:
1. Freely given
“Freely given” consent means you have not coerced, pressured or cornered the data subject. Do not require consent as a condition of using your services. People need to be able to say no.
2. Specific and informed
Provide clear and detailed information about your company, your purpose for collecting data, the types of data you collect, how long you will keep it, and any third parties with whom you will share it. Keep your consent forms separate. Don’t bundle them with other terms and conditions, contracts, or agreements.
3. Unambiguous
Get consent by a clear and affirmative action that signifies the individual’s agreement. For example, get them to tick a box, click an opt-in button, or sign a written statement. Do not use pre-ticked boxes or consider silence a valid form of consent.
4. Easy to withdraw
Let people know they have the right to withhold consent or to withdraw their consent at any time. Withdrawing consent should be as easy as giving consent and should not impose any undue burden on the individual.
5. Documented
If you use consent as your legal basis, you need to demonstrate that you obtained valid consent. Keep records of when and how consent was obtained, including the information you gave the person and your method for getting consent.
What makes a consent invalid
There are a few things that could make a consent questionable or even invalid:
❌ Employee/Employer power imbalance
Generally speaking, an employer wields more power than their employee. Therefore, asking your employees for consent can be problematic. Since the person may feel obligated to agree to you collecting their personal data, it’s hard to demonstrate that the consent was freely given.
❌ Out-of-date or hard-to-read policies
If you’ve started new marketing activities that involve people’s data, make sure you update your policies and consent forms. Do your policies and consent forms claim that you only use people’s contact information to provide services? If you are now using it to send newsletters, update your policies! While you are at it, skip the legal jargon and keep the text clear and simple.
❌ Pre-ticked boxes and big “yes” buttons
Do not use pre-ticked boxes or make the “yes” option more prominent or easier to find. Unless a person ticks the consent box themself, they didn’t actually consent.
❌ Changing your legal basis
Do not try to change your legal basis later if a person withdraws their consent. Giving people the impression that they had control and then claiming you had the right to keep their data based on another basis the whole time is unfair and it’s not allowed. Stop processing when the individual withdraws consent.
❌ Not having a records system
There are no specific rules for how you should keep your records. However, you must be able to demonstrate that you did get consent. Using tools that get consent and store it automatically is a good solution.
Remember this when getting consent
Here are a few key takeaways that can help you use consent properly:
- Check if you have another more appropriate lawful basis
- Avoid making consent a precondition of service.
- If you go with consent, 0ffer people real choice and control.
- If you get consent from employees, can you prove it was freely given?
- Check your policies and consent wording to make sure it is clear and accurate.
- Don’t use pre-ticked boxes or any other type of coercive consent.
- Separate consent forms from your other terms and conditions.
- Make it easy for people to withdraw consent and tell them how.
- Keep records of people’s consent.
If you’d like a safe way to collect personal data safely by email, with customisable consent forms that are automatically stored to document compliance, check out ShareSimple →
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →