GDPR (9) Consent provided by data subjects

29 September 2017

Obtaining consent from data subjects provides the best legal basis for processing personal data. In practice, however, obtaining consent is by no means straightforward. Moreover, because the consent can be withdrawn at any time, this legal basis also entails an element of uncertainty.

Consent has played a part in privacy legislation for a long time, although the rules have become stricter over the years. At first, it was permissible to extract some kind of tacit consent, often as part of a more comprehensive contract and without a predetermined purpose. Later, allowing data subjects to withdraw consent (i.e. opt out) was made compulsory. Today, the GDPR imposes a whole string of conditions that need to be fulfilled in order for consent to be considered valid (opting in). Consent must be given voluntarily by an affirmative act, be informed, and be clear and specific, and must be able to be withdrawn just as easily as it is given.


Consent provided by a data subject cannot be used as a legal basis if there is an imbalance in the relationship between the controller and the data subject. This applies in the case of the relationship between an employee and an employer, for example, because the employee is not usually in a position to refuse consent.

In addition, consent may not be linked to the provision of a service unless the data are required directly for the fulfilment of the contract. In that case, however, contractual necessity provides the legal basis, and so, for the sake of clarity, it is best not to request consent. In addition, consent for the use of data in subsequent marketing and advertising campaigns may not form part of any contract that is to be concluded or any general terms and conditions. Such consent is only valid under the GDPR if it can be provided separately from the conclusion of the contract.


Data subjects must make a clear statement themselves or perform an affirmative act to indicate their consent for a specified processing operation. Any suitable approach or method may be used for this purpose. The GDPR summarises the most common methods, which are giving consent by means of an oral or written statement, ticking a box, and activating a setting in a browser or an app. A new development in this area of consent is that the GDPR explicitly specifies that silence and inactivity cannot constitute consent. Pre-ticked boxes, for example, are absolutely forbidden. Failure to make use of an opt-out function or unsubscribe button does not constitute valid consent either. This is an extremely important condition for all organisations that set up direct marketing campaigns.


Before you ask data subjects for their consent, they must be provided with detailed information about the identity of the controller, the planned processing operations, the purpose and legal basis, and the measures taken to protect their data. This must be done in an honest way, using clear and plain language. The purpose, the precise data that is required for that purpose, and the consent that is to be provided must all be clearly aligned. A detailed, comprehensive privacy statement is a suitable document for such communication. The information that needs to be included in the privacy statement and the best way to make it available to data subjects will be covered in a future instalment of this blog.

Specific and unambiguous

Consent for the processing of personal data is always given for a clear purpose. The controller therefore cannot use the data for any other purpose unless the new purpose very closely resembles the original one. A good example of such a purpose is contacting former or existing clients to inform them about a product or service that is closely related to a product or service they have already purchased.

You need to pay particular attention if you are considering combining data in a different way or using data for a completely different purpose. Data mining is problematic in this context. This technology is often used, for marketing purposes among other things, in order to discover potential patterns or unexpected associations in vast amounts of information, and so there is no predetermined purpose. The GDPR provides some room for flexibility in cases where data are reused, and the data subjects’ explicit consent can be requested the next time the data are used.

Consent can be withdrawn

In every case, data subjects must be informed that they can withdraw their consent at any time. The procedure for withdrawing consent must be as simple as the procedure for providing consent. Under the GDPR, the controller is now specifically required to arrange this.


While this approach is fair and logical, putting this obligation into practical effect is not always straightforward, not least because the GDPR requires that the controller can clearly demonstrate the data subjects did in fact give their consent. More specific tips on this will be provided in future instalments of this blog.

Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).

If you have any questions or comments, please write to us at