Article 7
Conditions for consent

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 7 keyboard_arrow_down Hide the recitals of the Regulation related to article 7 keyboard_arrow_up

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (10) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

There is no recital in the Directive related to article 7.

The GDPR

We find a definition of the consent in Article 4, 11) of the Regulation that is very close to that issued by the Directive: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (see also G29, Opinion 15/2011 of 13 July 2011 on the definition of consent).

In doing so, the new text replaces the unambiguous nature of the consent as in Article 7 a) of the Directive by “specific and informed”, which will not amount to very much. On the other hand, the definition underlines the fact that the consent must consist of a statement or clear affirmative action, which seems to exclude a purely passive or tacit consent, even though witnessed (see in this sense recital 32).

Article 7 specifies the conditions of the consent, as defined.

First, it states that the burden of proof of consent is left to the controller.

The second paragraph of article 7 also specifies that if the data subject’s consent shall be required in the context of a written statement concerning also other questions, the request for consent must be made in a form which distinguishes it clearly from these other questions, in a way that is understandable and easily accessible, using clear and plain language. This new rule for example seems to imply that the consent to the terms and conditions containing an acceptance of processing is not enough to see a consent within the meaning of the Regulation. Otherwise, the statement is not binding to the data subject.

Another rule is generalized: the data subject has the right to withdraw his or her consent at any time. The consent withdrawal does not affect the lawfulness of the processing based on a previously given consent. The withdrawal does not invalidate the processing preceding the withdrawal and would therefore apply only to future processing. The data subject must be informed about this before giving his or her consent. The final version of the Regulation states that the data subject must be able to withdraw his or her consent as easily as given.

Finally, the final version of the Regulation adds a fourth paragraph in article 7 stating that when assessing whether consent is freely given, utmost account shall be taken of whether,  inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

The Directive

Article 2h of the Directive defined the data subject’s consent as being "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". Article 7a of this Directive specifies that to offer a basis for lawfulness of the processing, the consent must have been given "unambiguously”.

Potential issues

The fate of the implicit consent or silent witness is decided by the new definition of consent in the Regulation and it will not be always easy to determine whether the condition of “clear affirmative action” is met in practice. The absence of objection is however clearly excluded asbeing consent.

The controller should always obtain evidence of consent and therefore, provide archiving within the processing procedure.

The controller must also review the processes of the existing consents in order to comply with the new conditions of Article 7 that increasingly require that the “privacy” consent is considered to be independent of the contractual consent.

Regulation
1e 2e

Art. 7

1.   Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2.   If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3.   The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4.   When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

1st proposal close

Art. 7

1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.

2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

2nd proposal close

Art. 7

1. Where Article 6(1)(a) applies the controller shall be able to demonstrate that unambiguous consent was given by the data subject.

1a. Where Article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.

2. If the data subject's consent is to be given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable (...) from the other matters, in an intelligible and easily accessible form, using clear and plain language.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.

4. (...)

 

Directive close

Art. 7

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

Art. 23 D.Lgs 196/2003 - Consent

1. Processing of personal data by private entities or profit-seeking public bodies shall only be allowed if the data subject gives his/her express consent

2. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations thereof.

3. The data subject’s consent shall only be deemed to be effective if it is given freely and specifically with regard to a clearly identified processing operation, if it is documented in writing, and if the data subject has been provided with the information referred to in Section 13.

4. Consent shall be given in writing if the processing concerns sensitive data.

close