"I agree to the processing of personal data." A sentence that is inherently linked to personal data. But it is a sentence that is usually used incorrectly and, in the context of the processing of personal data, completely redundantly. Do you really need consent to process personal data for your business? Let’s find out so you don’t end up doing things you don’t actually have to.
The GDPR is based on the principle of controller liability. In simple terms, this means that it is up to each controller (e.g. a business) to determine what it will process, how it will process personal data, and also which legal basis it will rely on for such processing.
Consent to the processing of personal data is one of the legal bases on which the controller may process personal data.
The controller must always carefully consider which legal basis to choose. In addition to consent, data may be processed, for example, because it is required by law, necessary for fulfilling contractual obligations, or based on a legitimate interest. The legal bases are specifically listed in Article 6 of the GDPR. It is the controller’s responsibility to select the appropriate basis—no one else can do it on their behalf.
Consent to processing should only be used where there is no other legal basis for the processing. So we can borrow and slightly modify the phrase of the Czech chef Jiří Babica: "If you have no other legal basis, then give consent.
Do you need to prepare your consent to the processing of personal data?
Contact us and we will be happy to prepare it for you.
However, always keep in mind that personal data is used for a specific purpose. Therefore, if the data is not needed for that purpose, even consent to the processing of personal data is not sufficient, logically and using common sense. If I, as a controller, want to trace the exact location of an individual, I will not be able to process religious beliefs, for example, on the basis of consent. Therefore, Jirka Babica's sentence should be slightly modified: "If you have no other legal basis and you really need the data for the purpose, then put your consent there."
Typical examples in which controllers commonly use consents to process personal data (because no other legal basis is possible) are:
Not every processing of personal data requires consent. However, if you do need one, we’ve prepared the basic requirements such consent must meet.
Don’t forget to distinguish between the phrases “I agree to the processing of personal data” and “I agree to the personal data processing policy.”The first refers to the use of consent as a legal basis, while the second indicates a general acknowledgement of how personal data will be processed. In the latter case, it's more appropriate to use different wording—such as “I have been informed…” Using the wrong phrasing can be confusing for the data subject: are they giving consent for the processing, or are they merely being informed about what will happen with their data?
For instance, if you are processing personal data to fulfil a contractual obligation and want to inform the other party about how their data will be handled, it's advisable to include a sentence like: “I have been informed about the processing of personal data.”
On the other hand, if you're collecting personal data for large-scale marketing purposes, you’ll need to obtain explicit consent as a separate legal basis.
Do you need help with preparing information documentation? Get in touch. Along with the documentation, we will also look at the need for approvals and prepare the necessary wording and processes.
Consent to the processing of personal data must meet four fundamental requirements. It must be freely given, specific, informed, and represent an unambiguous indication of the data subject’s wishes.
Simply put: "No one can force me to give consent." Consent is not considered freely given if access to a service is made conditional on agreeing to data processing that is not necessary for the service itself.
A common example of consent that does not meet the freedom criterion is a mandatory checkbox for processing activities unrelated to the actual service. Recently, this kind of consent has been seen on media websites, where users are required to either give consent or pay a fee. However, current practice shows that such consent does not meet the standard of freely given consent and, according to preliminary interpretations, is not GDPR-compliant.
This issue also arises in employment relationships. The European Data Protection Board (EDPB) states in its guidelines that when consent is requested from employees, it is highly likely they may not be able to freely decide whether to grant it.
They might fear losing their job, bullying by their employer, or other negative consequences if they refuse to give consent.
That said, this does not mean an employer can never request consent from employees.
However, this is only acceptable if the employer does not pressure employees into giving consent and if no negative consequences arise from refusing. There must always be an alternative option available to the employee.
The EDPB illustrated this with a practical example:
To ensure that consent is freely given, it must be separated according to the specific purposes for which it is requested. A typical example would be obtaining consent from visitors to a platform that compares prices across different retailers, where the platform wants to collect email addresses for commercial communications and also share the data within a group of companies.
Consent to processing must always be given for specific purposes. We can illustrate this requirement with a practical example:
The Netflix platform may process personal data based on consent in order to provide its customers with personalized offers of new films, tailored to their viewing preferences. Later, the platform decides to allow other platforms and advertising companies to display ads in the customer's interface based on their viewing habits. This constitutes a new purpose, and new consent must be obtained for this processing. Consent is always granted for a specific and clearly defined purpose.
The processing of personal data should always be transparent. The controller must provide sufficient information to data subjects. The data subject should be given enough information to be able to say with confidence: "Okay, I trust you." The information must also be sufficiently distinguishable from other parts of the text.
According to the EDPB, for consent to be valid, the controller should provide the following information:
But how can all this mandatory information possibly fit into a tiny consent checkbox?
It doesn’t have to. The information can be layered. In the first layer—i.e. near the checkbox—it’s appropriate to include only the most essential information: who is processing the data, why, and what personal data is involved. There should then be a link to the full privacy policy, where the data subject can find more detailed information. Often, this additional information is presented in the privacy policy, and in such cases, it’s important to ensure that the consent-related information is clearly separated from the rest of the content.
“I consent to XY s.r.o. using my email address to send commercial messages related to hammer drills. Further details about data processing can be found here.”
Do you want to prepare the text of the consents and information documentation? Contact
In order for consent to be valid, it must be an informed active act on the part of the data subject. Simply put: "Silence does not mean consent."
For example, actively agreeing to the terms of use of the app, where a provision contains consent to the processing of personal data, is not an option. However, active and informed behaviour can be demonstrated in other ways. For example, the EDPB explicitly states that waving at the camera, swiping a dialog box on the screen, or specific movements with a mobile phone can also be considered as unambiguous expressions of intent. It follows - consent does not have to be in writing only.
There are no limits to creativity. The controller must be able to demonstrate all the required elements of consent. Checkboxes, handwritten or electronic signatures, verbal consent in a recorded phone call — these are just a few of the options.
The EDPB also mentions the possibility of double opt-in to reinforce the validity of consent:
Information about the possible further purpose of the processing will be sent to the e-mail. If the data subject agrees to it, he or she should send a reply to the email stating "I agree.". To be on the safe side, the controller will also send the data subject a response to the consent e-mail, which will include a URL link to verify the consent given. Clicking on the link is verified and consented to.
When processing special categories of personal data (i.e. sensitive data), an additional condition under Article 9 of the GDPR must be met. Unfortunately, Article 9 does not recognise the necessity for contract performance as a lawful basis. This means that in many cases, consent must be obtained, even if the data is needed to fulfil a contractual obligation.
The airline offers an assistance service for people with disabilities who do not have their own assistant. The customer orders this service, and the airline needs to know the customer's exact medical condition in order to target the service accurately (prepare wheelchair, assistant, etc.). However, as this is sensitive data and Article 9 does not provide for an exception for processing that would affect the performance of the contract, consent must be obtained from the customer. Without consent, the customer can use normal airline services, but without assistance.
One of the key features of consent as a legal basis is that it can be withdrawn at any time.
No other legal basis under the GDPR is so easily reversible. The data subject can decide at any time that they no longer want their data to be processed on the basis of consent.
The GDPR requires that withdrawing consent must be as easy as giving it.
For instance, if a user gives consent by clicking in an app, the app interface should also allow them to withdraw consent just as easily — ideally with a single click. An example of how not to offer a withdrawal option might look like this:
Consent can be a powerful and flexible tool — when done right.
This requires well-crafted wording, a clearly defined purpose, and robust procedures for withdrawal and record-keeping. In this article, we’ve provided a practical guide to how consent works under the GDPR and what to watch out for when implementing it. Still unsure? We’re here to help. We always tailor consents to match your brand, tone of voice, and the products or services you offer.
Curious about the current rules on transferring personal data to the U.S.? Check out our article on that topic
I am an attorney specializing in data protection, e-commerce, compliance and related areas. During my tenure, I have audited dozens of companies, setting up technology and legal related processes.