Processing personal data is strictly regulated under the GDPR. There are several legal bases, with consent being one of them.

As per Article 7, consent must be freely given, specific, informed and unambiguous.

Freely given means that the user can decide if he/she wants to give their consent. There has to be a real choice, a positive action from the data subject. If there is a clear imbalance between the data controller and the data subject, like the employer-employee relationship, consent is not a valid legal basis for data processing. In this type of relationship, the employee might feel that refusing to give consent will result in negative consequences, such as losing his/her job. For this reason, other legal bases need to be used in cases where there is an imbalance between the controller and the data subject.

Next, consent should be specific and informed, two clauses that generally go hand-in-hand. Data subjects should have information on the processing activities, why they are necessary, how long their data is needed and if it will be shared with third parties. Otherwise said, they need to know exactly why their data is needed.

Finally, consent should be unambiguous. This means, there should be a positive action from the data subject. For example, pre-ticked boxes are not valid consent. It is generally advised to choose an opt-in method, rather than opt-out, to avoid any ambiguity.

Articles: 4,6,7,8,9,22,49

Recitals: 32,33,38,40,42,43,50,51,54,71,111,155,161,171