Understanding consent under the GDPR

The GDPR is based on the fundamental principle of consent, and it places the highest standard for consent, providing people with true discretion and power

New Update

Our personal data enables us who we are as a person establishing its relational value. It has immense economic value being the most valuable asset in this digital age and an individual’s data, when bundled into a data set, provides insights and analytics that are useful for collective interest, hence it creates collective value for society. However, Tech companies are quite disreputable for unethically using, selling, reselling and trading individuals’ data without them knowing for pure profit-making purpose violating fundamental human rights- Privacy and Data Protection. To safeguard these basic essences of humanity, under article 22 of GDPR, automated data processing can be challenged by data subjects if the automated decision impacts them negatively,i.e., legally or significantly. However, there are three exemptions.

  • Essential nature: If the data processing is vital to perform a legal agreement task
  • Bounded by the law of the land: If the authorities legally approve the data processing and this is for the common good/ welfare of the nation. Also, the data subject is adequately protected with appropriate measures.
  • Explicit Consent: If the data processing is the result of the data subject’s unambiguous consent.

Therefore, personal data processing is strictly prohibited unless it is expressly allowed by law, or the data subject has consented to the processing. The GDPR is based on the fundamental principle of consent, and it places the highest standard for consent, providing people with true discretion and power. Genuine consent should empower individuals, build trust and engagement. Under article 7 of the GDPR Conditions of Consent, the data subjects are asked for their consent by providing information to help them understand the question and its implications to make a very well-informed decision. Consent is described in Article 4 of the GDPR as "any freely given, specific, informed and unambiguous <...> clear affirmative action" through which an individual gives permission for their personal data to be handled in a specific way. That can be broken down into five components:

  1. Freely granted - the individual must not be coerced into giving consent or face any consequences if they do not.
  2. Specific – Individual must be asked to provide free consent to each individual forms of data processing.
  3. Informed - the individual must be made conscious of what they are committing to.
  4. Unambiguous – language must be clear and simple.
  5. A clear affirmative action is required - the individual must explicitly agree by doing or saying something.

Example 1:


The consent notice has failed to comply with the GDPR’s requirements on consent.

  1. Freely given: Pre-ticked box confirms that you are not free at your consent will. The notice is pressurising you to select some of the boxes.
  2. Specific: The company might send you other types of communication and claim that you only unsubscribed newsletter, special deals, industry news and quarterly account updates.
  3. Informed: Here in this case, you are not much informed about the kind of communications you are subscribing.
  4. Unambiguous: It is not clear if they have any other forms of marketing communication that by default you are subscribing to, you only know that you are rejecting these 4 options.
  5. Clear affirmative action: This is also not fulfilled as there is no clear statement (For example, I do understand and provide my consent to process my personal data for special deals).

Example 2:

example two

The example is not even asking for your consent. If you want to use their website, you by default have to accept the Cookies and Privacy notice. Under the five elements of the GDPR consent, you are not freely giving your consent rather the notice is pressurising you to do so. It is violating the key founding principle to gain consent via a clear affirmative statement. For example, I do understand and accept the use of cookies. Also, this notice is not unambiguous(you have no information regarding the company’s cookies & privacy policy). Therefore, it is not complying with the GDPR requirements.

This implies that the consent necessitates a positive opt-in. That prohibits to use of pre-ticked boxes or some other means of gaining approval by default. Explicit consent necessitates a very precise and explicit declaration of consent. Your consent or permission to process your personal data under GDPR is distinct from any other terms and conditions. Consent notice is very specific, and you require to provide separate consent for separate things. Each notice is descriptive and succinct, provides the names of any third-party controllers who will depend on the permission. The regulation makes it easy for people to withdraw consent, requiring data collectors to provide a clear guideline on how to withdraw any consent. Consent should be reviewed on a regular basis and refreshed if anything changes by both parties.  If all of these five elements are absent, you do not have consent under the GDPR.

By Gayatri Panda, Business Partner, Themis Technologies Ltd