In data protection law, the general principle is that the processing of personal data is prohibited to the extent and as long as it is not permitted by a corresponding statutory provision (so-called prohibition principle). An important fact is the consent of the data subject affected by the data processing.
According to the General Data Protection Regulation (GDPR), the processing of personal data is only lawful if one of the six legal bases listed in Art. 6 (1) of the GDPR is fulfilled. The main legal basis is the data subject’s consent to the processing of his/her personal data for one or more specific purposes.
If consent is to be the basis for processing, the following requirements of Art. 4 No. 11 and Art. 7 of the GDPR must be respected:
- An unambiguous declaration of consent by the data subject that he/she agrees to the processing is required. An active behaviour is necessary. Pre-ticked boxes or the mere continued use of a service are just as insufficient as scrolling through a website or swiping or similar actions or interactions by a user. Nor is it an active declaration of consent if a pre-formulated consent text is not crossed out.
- Consent must be voluntary. The data subject must have a genuine and free choice. The data subject must be able to refuse or withdraw his/her consent at any time without any disadvantages.
- Particular attention must be paid to the prohibition of coupling: The performance of a contract or the provision of a service shall not be subject to consent to such processing which is not necessary for the performance of the contract or the provision of the service.
- Furthermore, there must be no clear imbalance between the controller and the data subject. Such an imbalance can exist, for example, vis-à-vis public authorities or in the employment relationship vis-à-vis the employer. In these cases, therefore, there is often no voluntariness.
- Consent must be given in an informed manner. The declaration of consent must be clear and understandable. In addition, the data subject must be informed about who the controller is and for which purposes the personal data shall be processed. The data subject must also be informed about the nature of the data processed and about the right to withdraw his/her consent at any time.
- The withdrawal of consent shall only apply with effect for the future. Therefore, previously given consent can still be used as a legal basis for processing based on consent before its withdrawal. It shall be as easy to withdraw as to give consent.
- A specific form is not required for consent, i.e. not the written form. However, since the granting of effective consent has to be demonstrated (e.g. vis-à-vis the supervisory authority), a form should be chosen to enable such proof by means of appropriate documentation.
In special cases, further requirements may be imposed on consent. For example, consent to the processing of specially protected data (Art. 9 para. 2 lit. a of the GDPR) or consent to automated individual decisions (Art. 22 para. 2 lit. c of the GDPR) must be explicit consent.
The guidelines on consent under Regulation 2016/679, issued by the European Data Protection Board, are also suitable for more in-depth familiarisation with the subject.