To process personal data, the data processor, in their role as a data controller, needs

to have a legal basis.

For many organisations, this means processing is based on freely given and
informed consent of the user (which should be documented to help demonstrate
compliance)

When must we have consent?

You are likely to need to consider consent when no other lawful basis
obviously applies. For example, this may be the case if you want to use or
share someone’s data in a particularly unexpected or potentially intrusive
way, or in a way that is incompatible with your original purpose.

If you are using special category data, you may to need to seek explicit
consent to legitimise the processing, unless one of the other specific
conditions in Article 9(2) applies. Note that some of the other conditions still
require you to consider consent first, or to get consent for some elements of
your processing. For example, if you are a not-for-profit body and you choose
to rely on Article 9(2)(d), you still need explicit consent to disclose the data
to any third party controllers.

You are also likely to need consent under e-privacy laws for many types of
marketing calls and marketing messages, website cookies or other online
tracking methods, or to install apps or other software on people’s devices.
These rules are currently found in the Privacy and Electronic Communications
Regulations 2003 (PECR). The EU is in the process of replacing the current e-
privacy law (and therefore PECR) with a new e-privacy Regulation (ePR).
However the new ePR is yet to be agreed. The existing PECR rules continue
to apply until the ePR is finalised, but will apply the GDPR definition of
consent.

If you need consent under e-privacy laws to send a marketing message, then
in practice consent is also the appropriate lawful basis under the GDPR. If e-
privacy laws don’t require consent for marketing, you may be able to
consider legitimate interests instead.

If you need consent to place cookies, this needs to meet the GDPR standard.
However, you may still be able to consider an alternative lawful basis such as
legitimate interests for any associated processing of personal data.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-
gdpr/consent/when-is-consent-appropriate/
 What are the alternatives to consent?
If you are looking for another lawful basis, these are set out in Article 6(1).
In summary, you can process personal data without consent if it’s necessary
for:

 A contract with the individual: for example, to supply goods or services

they have requested, or to fulfil your obligations under an employment
contract. This also includes steps taken at their request before entering into a
contract.

 Compliance with a legal obligation: if you are required by UK or EU law to

process the data for a particular purpose, you can.

 Vital interests: you can process personal data if it’s necessary to protect
someone’s life. This could be the life of the data subject or someone else.

 A public task: if you need to process personal data to carry out your official
functions or a task in the public interest – and you have a legal basis for the
processing under UK law – you can. If you are a UK public authority, our view
is that this is likely to give you a lawful basis for many if not all of your
activities.

 Legitimate interests: you can process personal data without consent if you
need to do so for a genuine and legitimate reason (including commercial
benefit), unless this is outweighed by the individual’s rights and interests.
Please note however that public authorities are restricted in their ability to
use this basis.

Private-sector or third-sector organisations will often be able to consider the

‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the
standard for consent and no other specific basis applies. This recognises that
you may have good reason to process someone’s personal data without their
consent – but you must avoid doing anything they would not expect, ensure
there is no unwarranted impact on them, and that you are still fair,
transparent and accountable.

If you are a public authority and can demonstrate that the processing is to
perform your official functions as set down in UK law, then the ‘public task’
basis is likely to be more appropriate. If not, you may still be able to consider
legitimate interests or one of the other bases. As always, you need to ensure
you are fair, transparent and accountable.

If you are looking for other conditions for processing special category data,
these are set out in Article 9(2) (supplemented by the Data Protection Act
2018). These are more limited and specific, and for example they include
provisions covering employment law, health and social care, and research.
See our guidance on special category data for more information.
The Guide to GDPR also contains more guidance on the rules for restricted
processing, automated decision-making (including profiling), and overseas
transfers.

Remember that even if you are not asking for consent, you still need to
provide clear and comprehensive information about how you use personal
data to comply with the right to be informed.

PROCESSING

Processing personal data is generally prohibited, unless it is expressly allowed by law, or the
data subject has consented to the processing. While being one of the more well-known
legal bases for processing personal data, consent is only one of six bases mentioned in the
General Data Protection Regulation (GDPR). The others are: contract, legal obligations,
vital interests of the data subject, public interest and legitimate interest as stated in Article
6(1) GDPR.

The basic requirements for the effectiveness of a valid legal consent are defined in Article 7
and specified further in recital 32 of the GDPR. Consent must be freely given, specific,
informed and unambiguous. In order to obtain freely given consent, it must be given on a
voluntary basis. The element “free” implies a real choice by the data subject. Any element
of inappropriate pressure or influence which could affect the outcome of that choice
renders the consent invalid. In doing so, the legal text takes a certain imbalance between
the controller and the data subject into consideration. For example, in an employer-
employee relationship: The employee may worry that his refusal to consent may have
severe negative consequences on his employment relationship, thus consent can only be a
lawful basis for processing in a few exceptional circumstances. In addition, a so-called
“coupling prohibition” or “prohibition of coupling or tying” applies. Thus, the performance
of a contract may not be made dependent upon the consent to process further personal
data, which is not needed for the performance of that contract.

For consent to be informed and specific, the data subject must at least be notified about the
controller’s identity, what kind of data will be processed, how it will be used and the
purpose of the processing operations as a safeguard against ‘function creep’. The data
subject must also be informed about his or her right to withdraw consent anytime. The
withdrawal must be as easy as giving consent. Where relevant, the controller also has to
inform about the use of the data for automated decision-making, the possible risks of data
transfers due to absence of an adequacy decision or other appropriate safeguards.

The consent must be bound to one or several specified purposes which must then be
sufficiently explained. If the consent should legitimise the processing of special categories
of personal data, the information for the data subject must expressly refer to this.
There must always be a clear distinction between the information needed for the informed
consent and information about other contractual matters.
Last but not least, consent must be unambiguous, which means it requires either a
statement or a clear affirmative act. Consent cannot be implied and must always be given
through an opt-in, a declaration or an active motion, so that there is no misunderstanding
that the data subject has consented to the particular processing. That being said, there is no
form requirement for consent, even if written consent is recommended due to the
accountability of the controller. It can therefore also be given in electronic form. In this
regard, consent of children and adolescents in relation to information society services is a
special case. For those who are under the age of 16, there is an additional consent or
authorisation requirement from the holder of parental responsibility. The age limit is
subject to a flexibility clause. Member States may provide for a lower age by national law,
provided that such age is not below the age of 13 years. When a service offering is explicitly
not addressed to children, it is freed of this rule. However, this does not apply to offers
which are addressed to both children and adults.

As one can see consent is not a silver bullet when it comes to the processing of personal
data. Especially considering that the European data protection authorities have made it
clear “that if a controller chooses to rely on consent for any part of the processing, they
must be prepared to respect that choice and stop that part of the processing if an individual
withdraws consent.” Strictly interpreted, this means the controller is not allowed to switch
from the legal basis consent to legitimate interest once the data subject withdraws his
consent. This applies even if a valid legitimate interest existed initially. Therefore, consent
should always be chosen as a last option for processing personal data.

Suitable GDPR articles

Art. 4 GDPR Definitions Art. 6 GDPR Lawfulness of processing Art. 7 GDPR Conditions for
consentArt. 8 GDPR Conditions applicable to child's consent in relation to information society
services Art. 9 GDPR Processing of special categories of personal data Art. 22 GDPR Automated
individual decision-making, including profiling Art. 49 GDPR Derogations for specific situations

What makes consent a consent

In order to understand when consent is valid, a number of requirements must be
met.

Freely given
Users cannot be forced to provide consent. It is up to the user to make the choice.
Consent cannot be the sole prerequisite to enter into an agreement. Otherwise,
consent is not valid. There is no way to, e.g., bundle a number of services into a
package and simply provide an “I agree” tick-box.
A Tamagotchi-like cat app does not need access to all contacts in the address
book in order to operate.

One of the most important tasks, in order to prepare for GDPR, will thus be a
careful analysis of all contracts and systems to see if consent was a prerequisite for
using these. These kind of consents may mean that organization will be processing
data without any justification (if based on invalid consents) following May 2018.

Pay attention to the important concept of power imbalance. Employers cannot

force employees to consent to e.g. provide consent to process their personal data for
arbitrary reasons. Same for various institutions, ministries, universities, and so on.
This kind of things invalidate consent.

Granularity

There are good reasons to split services into sub-services, each of these requiring
specific consent - for different purposes. In this way, it is convenient to obtain
particular consents for a particular data use purpose.

The best example are overly generic consent forms such as “we will use the data to
improve our services” (what services, how?), or “we will use the data for scientific
research” (what kinds of research?).

This point may also concern permissions to use specific components of smartphone
or browsers. If you don’t need to use something, don’t.

Consent withdrawal

GDPR requires offering an option to easily withdraw consent. Users will be able to
simply inform organizations that they are no longer desiring to have their data
processed. Organizations must support these requests in a timely manner.
Furthermore, users must be well aware of this option. There also should be no
associated costs (here: not necessarily monetary) with such a user decision.

Specific
Consent for private data processing is only valid if it’s granted for particular use
cases. In other words, data must be collected with a specific purpose. This is called
purpose limitation. Purposes must be clearly communicated to users. This
requirement is another one that supports “granular” consents.
Example? One thing this protects from is an internet service provider selling user
data to third-parties in order to provide personalized services. Banks are unable to
use consent as means of making users to share data with other organizations, too.

This is again a great place to speak about browsers and smartphone apps. If I allow
a website to access geolocation via my browser, this means only that - no other data
should be provided without my knowledge. This is when things will be
complicated for e.g. web browsers.

Informed
This important point is about transparency. Users must be made aware of the
purposes of data collection, how the data will be used, and so on.

Returning to the example of a website asking for a permission to use geolocation -

via a web browser. But take note that Geolocation API
(https://www.w3.org/TR/geolocation-API/) is not providing any way to state the
purpose for which access to geolocation is needed. There are more of such issues
with web browsers. Since it really seems that no current browsers support options
to display purpose description when a request to access low-level sensor is made.
In other words, web browsers are not currently privacy and transparency
requirements of GDPR. Websites need to make their custom, non-standard
workarounds. Browser prompts are not consents.