Article 7
Conditions for consent

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 7 keyboard_arrow_down Hide the recitals of the Regulation related to article 7 keyboard_arrow_up

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

There is no recital in the Directive related to article 7.

The GDPR

We find a definition of the consent in Article 4, 11) of the Regulation that is very close to that issued by the Directive: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (see also G29, Opinion 15/2011 of 13 July 2011 on the definition of consent).

In doing so, the new text replaces the unambiguous nature of the consent as in Article 7 a) of the Directive by “specific and informed”, which will not amount to very much. On the other hand, the definition underlines the fact that the consent must consist of a statement or clear affirmative action, which seems to exclude a purely passive or tacit consent, even though witnessed (see in this sense recital 32).

Article 7 specifies the conditions of the consent, as defined.

First, it states that the burden of proof of consent is left to the controller.

The second paragraph of article 7 also specifies that if the data subject’s consent shall be required in the context of a written statement concerning also other questions, the request for consent must be made in a form which distinguishes it clearly from these other questions, in a way that is understandable and easily accessible, using clear and plain language. This new rule for example seems to imply that the consent to the terms and conditions containing an acceptance of processing is not enough to see a consent within the meaning of the Regulation. Otherwise, the statement is not binding to the data subject.

Another rule is generalized: the data subject has the right to withdraw his or her consent at any time. The consent withdrawal does not affect the lawfulness of the processing based on a previously given consent. The withdrawal does not invalidate the processing preceding the withdrawal and would therefore apply only to future processing. The data subject must be informed about this before giving his or her consent. The final version of the Regulation states that the data subject must be able to withdraw his or her consent as easily as given.

Finally, the final version of the Regulation adds a fourth paragraph in article 7 stating that when assessing whether consent is freely given, utmost account shall be taken of whether,  inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

The Directive

Article 2h of the Directive defined the data subject’s consent as being "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". Article 7a of this Directive specifies that to offer a basis for lawfulness of the processing, the consent must have been given "unambiguously”.

Potential issues

The fate of the implicit consent or silent witness is decided by the new definition of consent in the Regulation and it will not be always easy to determine whether the condition of “clear affirmative action” is met in practice. The absence of objection is however clearly excluded asbeing consent.

The controller should always obtain evidence of consent and therefore, provide archiving within the processing procedure.

The controller must also review the processes of the existing consents in order to comply with the new conditions of Article 7 that increasingly require that the “privacy” consent is considered to be independent of the contractual consent.

Summary

European Union

European Union

European Data Protection Board (EDPB)

Guidelines on consent under Regulation 2016/679 - 5/2020 (4 mai 2020)

These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon the Article 29 Working Party Opinion 15/2011 on consent. The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects.

Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR.2 When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing.

Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.

The existing Article 29 Working Party (WP29) Opinions on consent4 remain relevant, where consistent with the new legal framework, as the GDPR codifies existing WP29 guidance and general good practice and most of the key elements of consent remain the same under the GDPR. Therefore, in this document, the EDPB expands upon and completes earlier Article 29 Working Party Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.

As the WP29 stated in its Opinion 15/2011 on the definition on consent, inviting people to accept a data processing operation should be subject to rigorous requirements, since it concerns the fundamental rights of data subjects and the controller wishes to engage in a processing operation that would be unlawful without the data subject’s consent.

The crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimise collection of data, which is not necessary in relation to a specified purpose of processing and be fundamentally unfair. Meanwhile, the EDPB is aware of the review of the ePrivacy Directive (2002/58/EC). The notion of consent in the draft ePrivacy Regulation remains linked to the notion of consent in the GDPR.

Organisations are likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software. The EDPB has already provided recommendations and guidance to the European legislator on the Proposal for a Regulation on ePrivacy.

With regard to the existing e-Privacy Directive, the EDPB notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR.

This also applies to references to consent in the current Directive 2002/58/EC, as the ePrivacy Regulation will not (yet) be in force from 25 May 2018. According to Article 95 GDPR, additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks shall not be imposed insofar the e-Privacy Directive imposes specific obligations with the same objective. The EDPB notes that the requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive.

Lien

Retour au sommaire

Article 29 Working Party

Guidelines on consent under Regulation 2016/679 - wp259rev.01 (10 avril 2018)

(Endorsed by the EDPB)

These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon Opinion 15/2011 on consent. The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects.

Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing.

Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.

The existing Article 29 Working Party (WP29) Opinions on consent remain relevant, where consistent with the new legal framework, as the GDPR codifies existing WP29 guidance and general good practice and most of the key elements of consent remain the same under the GDPR. Therefore, in this document, WP29 expands upon and completes earlier Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.
As stated in Opinion 15/2011 on the definition on consent, inviting people to accept a data processing operation should be subject to rigorous requirements, since it concerns the fundamental rights of data subjects and the controller wishes to engage in a processing operation that would be unlawful without the data subject’s consent.4 The crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimise collection of data which is not necessary in relation to a specified purpose of processing and be fundamentally unfair.

Meanwhile, WP29 is aware of the review of the ePrivacy Directive (2002/58/EC). The notion of consent in the draft ePrivacy Regulation remains linked to the notion of consent in the GDPR. Organisations are likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software. WP29 has already provided recommendations and guidance to the European legislator on the Proposal for a Regulation on ePrivacy.

With regard to the existing e-Privacy Directive, WP29 notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR.8 This also applies to references to consent in the current Directive 2002/58/EC, as the ePrivacy Regulation will not (yet) be in force from 25 May 2018. According to Article 95 GDPR, additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks shall not be imposed insofar the e-Privacy Directive imposes specific obligations with the same objective. WP29 notes that the requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive.

Link

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-673/17 (1 October 2019) - Planet49

1.      Article 2(f) and of Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in conjunction with Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation), must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.

2.      Article 2(f) and Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.

3.      Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Opinion of Advocate general

Judgment of the Court

C-708/18 (11 December 2019) - Asociaţia de Proprietari bloc M5A-ScaraA

Article 6(1)(c) and Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as not precluding national provisions which authorise the installation of a video surveillance system, such as the system at issue in the main proceedings, installed in the common parts of a residential building, for the purposes of pursuing legitimate interests of ensuring the safety and protection of individuals and property, without the consent of the data subjects, if the processing of personal data carried out by means of the video surveillance system at issue fulfils the conditions laid down in Article 7(f), which it is for the referring court to determine.

Judgment of the Court

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 7

1.   Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2.   If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3.   The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4.   When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

1st proposal close

Art. 7

1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.

2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

2nd proposal close

Art. 7

1. Where Article 6(1)(a) applies the controller shall be able to demonstrate that unambiguous consent was given by the data subject.

1a. Where Article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.

2. If the data subject's consent is to be given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable (...) from the other matters, in an intelligible and easily accessible form, using clear and plain language.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.

4. (...)

 

Directive close

Art. 7

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

No (special) provision under Hungarian law.

Old law close

Definitions

§ 3 Data Protection Act

[...]

(7) ‘the data subject’s consent’ means any freely and expressly given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed without limitation or with regard to specific operations;

(8) ‘the data subject’s objection’ shall mean an indication of his wishes by which the data subject objects to the processing of his personal data and requests that the processing of data relating to him be terminated and/or the processed data be deleted;

[...]


Requirement of preliminary information of data subjects

§ 20 Data Protection Act

(1) Before processing operations are carried out the data subject shall be informed whether his consent is required or processing is mandatory.

(2) Before processing operations are carried out the data subject shall be clearly and elaborately informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5) of Section 6, and the persons to whom his data may be disclosed. Information shall also be provided on the data subject’s rights and remedies.

(3) In the case of mandatory processing such information may be supplied by way of publishing reference to the legislation containing the information referred to in Subsection (2).

(4) If the provision of information to the data subject proves impossible or would involve disproportionate efforts, the obligation of information may be satisfied by the public disclosure of the following:

a) an indication of the fact that data is being collected;

b) the data subjects targeted;

c) the purpose of data collection;

d) the duration of the proposed processing operation;

e) the potential data controllers with the right of access;

f) the right of data subjects and remedies available relating to data processing; and

g) where the processing operation has to be registered, the number assigned in the data protection register, with the exception of Subsection (2) of Section 68.


The data subject’s right to object to the processing of his personal data

§ 21 Data Protection Act

(1) The data subject shall have the right to object to the processing of data relating to him:

a) if processing or disclosure is carried out solely for the purpose of discharging the controller’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;

b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and

c) in all other cases prescribed by law.

(2) In the event of objection, the controller shall investigate the cause of objection within the shortest possible time inside a fifteen-day time period, adopt a decision as to merits and shall notify the data subject in writing of its decision.

(3) If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.

(4) If the data subject disagrees with the decision taken by the controller under Subsection (2), or if the controller fails to meet the deadline specified in Subsection (2), the data subject shall have the right under Section 22 to bring action in the court of law within thirty days of the date of delivery of the decision or from the last day of the time limit.

(5) If data that are necessary to assert the data recipient’s rights are withheld owing to the data subject’s objection, the data recipient shall have the right under Section 22 to file charges against the controller within fifteen days from the date the decision is delivered under Subsection (2) in order to obtain the data. The controller may give third-party notice to the data subject.

(6) If the data controller fails to send notice as specified in Subsection (3), the data recipient shall have the right to request information from the controller concerning the circumstances of non-disclosure, upon which the controller shall make available the information requested within eight days of receipt of the data recipient’s request. Where information had been requested, the data recipient may bring action against the controller within fifteen days from the date of receipt of the information, or from the deadline prescribed therefor. The controller may give third-party notice to the data subject.

(7) The controller shall not delete the data of the data subject if processing has been prescribed by law. However, data may not be disclosed to the data recipient if the controller agrees with the objection or if the court has found the objection justified.

Romania close

Law No. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, as amended and completed

Article 5:

(1) Any personal data processing, except for the processing which refer to the categories mentioned in Article 7 paragraph (1) and Articles 8 and 10, may be carried out only if the data subject has given his/her express and unequivocal consent for that processing.

(2) The data subject’s consent is not required in the following situations:

a) when the processing is required in order to carry out a contract or pre-contract to which the data subject is party of, or in order to take some measures, at his request, before signing that contract or the pre-contract;

b) when the processing is required in order to protect the data subject’s life, physical integrity or health or that of a threatened third party;

c) when the processing is required in order to fulfill a legal obligation of the data controller;

d) when the processing is required in order to accomplish some measures of public interest or regarding the exercise of public official authority prerogatives of the data controller or of the third party to which the date are disclosed;

e) when the processing is necessary in order to accomplish a legitimate interest of the data controller or of the third party to which the date are disclosed, on the condition that this interest does not prejudice the interests, or the fundamental rights and freedoms of the data subject;

f) when the processing concerns data which is obtained from publicly accessible documents, according to the law;

g) when the processing is performed exclusively for statistical purposes, historical or scientific research and the data remain anonymous throughout the entire processing;

(3) The provisions of paragraph (2) do not infringe the legal texts that govern the obligations of public authorities to respect and protect intimate, family and private life.

close