Traditionally, consent is seen as a core element of data protection as it grants the person the explicit right to say “yes” or “no” to a processing of their data. This absolute right, to refrain from confirming a data processing or – from the business’s perspective even worse – to withdraw consent that had once been given, is a main reason why, for most data processings, consent is not a suitable legal basis.

Furthermore, where the data subject is existentially dependent on the controller, consent must often be deemed invalid. This is the regular case for many data processings in the employment context if the employee is, objectively speaking, not in the position to agree in a voluntary way.

As a result, consent should be obtained only if the following three prerequisites are met: (1) the potential confirmation of the data subject can, in the absence of any explicit or implicit pressure, be deemed voluntary (2) the processing is not indispensable for the company and (3) it is organizationally and technically feasible to exclude data subjects from the processing who are either not willing to consent or, at a later stage, withdraw their permission. These criteria usually apply e.g. to marketing data processings.

Only for exceptional cases – especially when sensitive data according to Art. 9 GDPR is processed – consent must be sought despite data processing being indispensable for the controller.

In the sense of the GDPR, valid consent requires a “clear affirmative action” (Recital 32 S. 1). This means “a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”

Despite the possibility of “unwritten” consent (e.g. oral, see above), recorded consent is highly recommended as Art. 7 Para. 1 GDPR expects the controller to be able to prove the person’s assent. There should thus be no doubt about their positive attitude towards the data processing. This, in turn, requires the person to be fully aware of essential processing circumstances such as the purpose(s), the data categories and the data recipients. This information must be given in a clear and specific way.

According to Art 13 Para. 2 lit. c GDPR, the data subject has also to be informed of their right to withdraw the consent at any time “without affecting the lawfulness of processing based on consent before its withdrawal”.

Granting consent may, according to Art. 7 Para. 4 GDPR, not unnecessarily be made conditional for the performance of a contract. In a similar way, it is not permissible to combine multiple, different purposes in a consent form seeking just one approval; each independent purpose must be independently approvable.