Consent is one of the most important elements of the General Data Protection Regulation (GDPR). This is because data protection generally prohibits the processing of personal data. Unless the processing is permitted by a legal provision. The most important exceptions can be found in Art. 6 para. 1 GDPR - and it is not without reason that consent is mentioned first.
Consent pursuant to Art. 4 No. 11 and Art. 7 GDPR
According to Art. 6 para. 1 lit. a, processing is lawful if the data subject has given their consent to the processing of their personal data for one or more specific purposes.
The requirements for lawful consent are specified in Art. 4 No. 11 and Art. 7 GDPR.
Consent must be given voluntarily
This means that the data subject must have a genuine and free choice. They must be able to refuse or withdraw their consent at any time without any disadvantages - see also recital 42 of the GDPR.
This is generally not the case if the fulfillment of a contract is made dependent on consent to data processing that is not necessary for the fulfillment of the contract (Art. 7 para. 4 in conjunction with recital 43 GDPR, prohibition of tying).
Furthermore, consent is not an effective legal basis if there is a clear imbalance between the data subject and the controller and it is therefore unlikely that consent was given voluntarily. An imbalance may exist, for example, vis-à-vis authorities or in the employment relationship vis-à-vis the employer.
Active declaration of intent required
An unequivocal expression of the data subject's consent to the processing is required. The written form is not required. The confirming action can also be made electronically, e.g. by "clicking" on a field on the Internet, or verbally. However, active behavior is required.
Pre-filled boxes or the mere continued use of a service are just as insufficient as scrolling on a website or swiping on a smartphone or tablet. According to the European Data Protection Board, this also does not apply to the mere continued use of a service.
Consent must be given in an informed manner
Recital 42 of the GDPR stipulates in particular that a declaration of consent pre-formulated by the controller must be provided in an intelligible and easily accessible form, using clear and plain language and must not contain any ambiguous clauses. The data subject must also at least be informed about who the controller is and for what purposes their personal data is to be processed.
Furthermore, according to the European Data Protection Board, the data subject must be informed about the type of data processed, about their right to withdraw consent at any time, about the use of data for automated decision-making, if applicable, and about the possible risks of data transfer to third countries without an adequacy decision and without appropriate safeguards in accordance with Art. 46 GDPR.
Reading tip: Right of access in the GDPR - current ECJ case law and EDPB guidelines
Obligation of the person responsible to provide evidence
According to Art. 7 para. 1 GDPR, the controller is expressly obliged to be able to prove that consent has been given. This obligation is linked to the accountability obligation set out in Art. 5 para. 2 GDPR. This applies not only in the sense of a burden of proof rule if the existence of consent is disputed, but in general.
It must therefore also be possible to provide proof of consent given in the event of inspections by the supervisory authorities. If consent is given electronically, the controller must ensure that the consent is logged. It is not sufficient, for example, to merely refer to the proper design of the corresponding website without providing proof of the consent actually given in individual cases.
The controller must also take appropriate technical and organizational measures to ensure that the data protection principles, in particular accountability, are implemented. To this end, they must use technical systems that enable data protection through technology design and data protection-friendly default settings.
Right to withdraw consent
The data subject has the right to withdraw their consent at any time. The revocation has effect for the future. Processing that was carried out in the past on the basis of consent therefore remains lawful.
The controller must point out the revocability of consent before consent is given. Withdrawal must be as simple as the granting of consent. Consents granted before the GDPR became applicable continue to apply in accordance with Art. 171 GDPR, provided they meet the requirements of the GDPR by their nature.
Consequences of ineffective consent
Consent that does not meet the requirements described above is invalid and cannot be used as a legal basis for data processing.
In this case, basing data processing on another legal basis, such as the protection of legitimate interests of the controller or a third party (Art. 6 para. 1 lit. f GDPR), is generally not permitted. This is because the controller must observe the principles of fairness and transparency (Art. 5 para. 1 lit. a GDPR). It is not possible to arbitrarily switch between consent and other legal bases.
If the consent proves to be invalid or if the controller cannot prove the existence of consent, the data processing based on it is unlawful.
Violations of the principles of processing, including the consent requirements, can be punished with a fine by the competent supervisory authority in accordance with Art. 83 para. 5 lit. a GDPR. In addition, depending on the circumstances of the individual case, claims for damages by the data subject may also be considered.