The Consent is one of the most important elements of the General Data Protection Regulation (GDPR). This is because Data protectionthat the Processing of personal data is prohibited. Unless the Processing is permitted by law. The most important exceptions can be found in Art. 6 para. 1 GDPR - and it is not without reason that the Consent is mentioned in first place.
Consent pursuant to Art. 4 No. 11 and Art. 7 GDPR
According to Art. 6 para. 1 lit. a, the Processing lawful if the affected Person their Consent to the Processing of the personal data concerning them for one or more specific purposes.
The requirements for a lawful Consent are set out in Art. 4 No. 11 and Art. 7 GDPR concretized.
Consent must be given voluntarily
This means that the affected person must have a genuine and free choice. She must have the Consent or revoke it at any time without any disadvantages - see also recital 42 of the GDPR.
This is generally not the case if the fulfillment of a contract depends on the Consent to data processing that is not necessary for the performance of the contract (Art. 7 (4) in conjunction with Recital 43 GDPRprohibition of coupling).
In addition, a Consent does not constitute an effective legal basis if there is a clear imbalance between the data subject and the controller and it is therefore unlikely that the Consent was given voluntarily. An imbalance can exist, for example, vis-à-vis authorities or in the employment relationship vis-à-vis the employer.
Active declaration of intent required
It requires an unequivocal expression of will by the person concerned that he or she agrees with the Processing is in agreement. The written form is not required. The confirming action can also be carried out electronically, e.g. by "clicking" a box on the Internet, or verbally. However, active behavior is required.
Pre-filled boxes or the mere continued use of a service are just as insufficient as scrolling on a website or swiping on a smartphone or tablet. According to the European Data Protection Board, this also does not apply to the mere continued use of a service.
Consent must be given in an informed manner
In recital 42 of the GDPR is based in particular on the fact that a declaration of consent pre-formulated by the controller is provided in an understandable and easily accessible form in clear and simple language and does not contain any ambiguous clauses. The affected person must at least be informed about who the Responsible persons and the purposes for which your personal data is to be processed.
In addition, the affected the European Data Protection Board about the nature of the data being processed, about their right to object to the Consent revoke at any time, where applicable, on the use of the data for automated decision-making and on the possible risks of data transfer to third countries without an adequacy decision and without Suitable guarantees pursuant to Art. 46 GDPR be informed.
Reading tip: Right of access in the GDPR - current ECJ case law and EDPB guidelines
Obligation of the person responsible to provide evidence
The Responsible persons is according to Art. 7 para. 1 GDPR expressly undertakes to ensure that the Consent to be able to provide evidence. This obligation is related to the obligation set out in Art. 5 para. 2 GDPR regulated accountability. This does not only apply in the sense of a burden of proof rule if the existence of a Consent is disputed, but in general.
It must therefore also be possible to provide proof of consent granted in the event of inspections by the supervisory authorities. If the Consent electronically, the Responsible persons ensure that the Consent is logged. It is not sufficient, for example, to merely refer to the proper design of the corresponding website without providing proof of the actual design in individual cases. Consent to lead.
The Responsible persons must also be supported by suitable Technical and organizational measures ensure that the data protection principles, in particular accountability, are implemented. To this end, it must use technical systems that enable data protection through technology design and data protection-friendly default settings.
Right to withdraw consent
The Affected parties has the right to Consent revoked at any time. The Revocation has effect for the future. Processing that took place in the past due to the Consent therefore remain lawful.
The revocability of the Consent the Responsible persons before submitting the Consent point out. The Revocation must be as simple as issuing the Consent be. Before the applicability of the GDPR Consents granted are effective in accordance with Art. 171 GDPR provided that their nature meets the requirements of the GDPR correspond.
Consequences of ineffective consent
One Consentwhich does not meet the requirements described above is invalid and cannot be used as a legal basis for data processing.
To base the data processing in this case on another legal basis, such as the protection of legitimate interests of the controller or a third party (Art. 6 para. 1 lit. f GDPR) is fundamentally inadmissible. This is because the Responsible persons has applied the principles of fairness and Transparency must be observed (Art. 5 para. 1 lit. a GDPR). An arbitrary change between Consent and others Legal basis is not possible.
If the Consent as ineffective or can the Responsible persons the existence of the Consent the data processing based on it is unlawful.
Violations of the principles of Processing including the conditions for consent, may be amended in accordance with Art. 83 para. 5 lit. a GDPR from the responsible Supervisory authority with a Fine be punished. In addition, depending on the circumstances of the individual case, the person concerned may also be entitled to claim damages.
German 
English 
Italian 
French