Consent indicates that the individual is agreeing to and permitting the processing of his/her personal data. Consent is one of the six legal bases for processing personal data under GDPR Article 6.  When you are in a situation of consent, this means that consent is chosen as the lawful basis for processing personal data.

Under GDPR consent must be expressed. Consent obtained through pre-ticked boxes is not considered valid.

While processing personal data of children below the age of 16 years, consent of parent or guardian is required for the processing to be lawful.

But consent cannot be relied upon in certain situations where there is a power imbalance between the data controller and the data processor. In such situations, there is a possibility that the consent is not freely given and does not fulfil the conditions of a valid consent.

Consequences of choosing consent as a lawful basis

Where the processing is based on consent, the data controller must document the consent and keep an audit trail. The data controller must also provide the individuals with the right to withdraw consent at any time.

The onus of proof is on the data controller to demonstrate that the data subject gave consent and that consent was freely given, which is far from easy. The GDPR says in Article 7 (1)  

“where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

Conditions for a valid consent

Article 7 of the GDPR describes the conditions for consent. Consent is valid when it is:

  • Unbundled – separate from other terms and conditions
  • Active opt-in – no pre-ticked boxes or implied consent
  • Granular – applied to separate processing and purposes
  • Named – all those relying on the consent must be named individually
  • Verifiable – records must be kept to prove what the consent was provided for
  • Easy to withdraw – just as easy as it was to provide
  • No imbalance of power – not available to public sector or employer/employee relationships
  • Refreshed – valid consent does not last forever

Types of consent


Checkbox/opt-in, double opt-in, a condition that you agree if you proceed, confirmation email.


A written legal document, attested with fingerprints/signature, and witness.

Methods for recording consent

Consent in an electronically readable format

A statement in an electronically readable format with e-signature, fingerprints data. Software data of opt-in and double opt-in, a confirmation email

Consent in written or printed form

A written document with signature, fingerprints

Explicit consent

GDPR requires explicit consent in certain situations where serious data protection risk emerge, hence, where a high level of individual control over personal data is deemed necessary. Explicit consent is required in the following three situations:

  • Special categories of personal data

Special categories of personal data and special types/circumstances of personal data processing. Special categories of personal data require a higher level of protection and increased control of individuals over their personal data. The GDPR says that processing of special categories of personal data is ‘prohibited’ but there are a few exceptions to it. One of these exceptions is when the data subject has given explicit consent for the processing of his/her personal data. According to Article 9 (2)(a): “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject”.

  • Automated individual decision-making, including profiling

GDPR Article 22 The GDPR states that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.  One exception to this rule is that this doesn’t apply when this type of data processing is based on the explicit consent of the data subject.

  • Derogations in international data transfers

Derogations are exemptions/permission for international data transfers in the absence of an adequacy decision or appropriate security measures. One of these exemptions is that the data subject has given explicit consent for the processing of their personal data.  The GDPR Article 49 (1)(a) says:  “The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.”  In this case, explicit consent to the data transfer can take place after all if the data subject has been adequately informed of the risks of consenting to these kinds of transfers because of the lack of, among others, an appropriate safeguard as is mentioned in Article 49.