GDPR › Personal Data

Consent and GDPR: What is Consent as a Legal Basis for Processing?

Consent is just one of six legal bases for processing personal data under GDPR. Learn when it is the right choice, what makes it valid, and when other legal bases are a better alternative.

All processing of personal data requires a legal basis under Article 6 of the GDPR in order to carry out that processing, and consent is just one of six different legal bases that can be used.

What is consent?

For many, "consent" has come to be understood as the only legal basis for processing personal data, but this is a misunderstanding.

In short, consent is valid when:

It can be demonstrated to have been given.
It has been given for a specific purpose.
It has been given freely.
It can be withdrawn by the person who gave it.

Advantages and disadvantages of using consent

Below, we look more closely at the advantages and disadvantages of using consent as the legal basis for processing personal data.

Flat vector illustration showing two white cards side by side. The left card with a teal header lists the advantages of consent marked with checkmarks, including flexibility, trust and clarity. The right card with a hot pink header lists the disadvantages with warning icons, representing withdrawal risk, coercion concerns and administrative burden.

Disadvantages

As a general rule, you should only use consent as the legal basis for your processing of personal data when none of the other legal bases apply. This is because basing processing on consent can make it difficult to carry out the intended processing of personal data.

Withdrawal of consent

The reason for this is that the person who gives consent can always withdraw it, which would then require processing of their personal data to stop.

Freely given

Consent must also be given freely. There must be no element of coercion in giving consent, as this would render it invalid. This makes it difficult for employers to use consent as the legal basis for processing employees' data, since employees may feel pressured to give consent in that context out of fear of consequences for their employment.

Reluctance

Depending on the context, some individuals may respond negatively to being asked for consent to the processing of their personal data. Users are tired of the standardised and dry legal texts and procedures that typically accompany companies' attempts to comply with consent requirements. This can lead many users to simply click or tick "yes" without reading what they are consenting to, which may later create problems for your organisation when it comes to demonstrating the validity of the consent to users.

Administrative burden

Using consent can also create an administrative burden, as all aspects of how consent is obtained must be documented. You must comply with your information obligations, document that consent was properly given, and then handle and act on any withdrawals of consent.

Advantages

One of the advantages of using consent as the legal basis for processing personal data is the flexibility it gives you as the data controller, since it can serve as an alternative to the following legal bases: contract, legal obligation, and legitimate interests.

Voluntary and trustworthy

When you use consent, you involve the individuals, who can actively choose to have their personal data processed, and this therefore shows users that their data is only used with their involvement. This can strengthen your organisation's credibility.

Ease of understanding

It is often easier for users to understand the legal basis of "consent" than, for example, the data controller's legitimate interests. Consent requires clear communication about the processing, as well as a clear yes or no as to whether the individual's personal data may be processed.

Sensitive personal data

Private companies have limited options for processing sensitive personal data, which can be processed where the company is subject to a legal obligation, performs public authority tasks, and so on.

However, sensitive personal data can be processed using consent as the legal basis under Article 9(2)(a), provided the individual has given their explicit consent.

Consent examples

Below you will find examples of consent being used as the legal basis for the processing of personal data.

Publishing customer case studies

When you want to use a customer's name, image, testimonial, etc. in your marketing, you can request their consent. The customer must know what the information will be used for and must have the option to say no without this resulting in any negative consequences for them.

Market research

If you want to send out questionnaires as part of a market research exercise, you will generally need consent from the recipients. The research may be aimed at exploring the market, target groups, or new business ideas.

Recording customer support calls

If you want to record calls with customers in order to use the recordings for subsequent staff training, the customer must give active consent to the recording. The customer must be clearly informed of the purpose and must be able to decline without this having any consequences for the customer service they receive.

Newsletters

When users can sign up for a company newsletter through the website, the user's consent must be obtained before adding them to the mailing list. It must be an active opt-in, and it must be easy to unsubscribe again.

Entering a competition

When you run a competition that people can sign up for, the participants' consent can be used as the legal basis. You are processing their data for a specific and time-limited purpose: to draw a winner from among the participants.

Using marketing cookies on your website

If you want to place marketing cookies in the browser of users visiting your website, you must obtain their active consent. It must be an informed and voluntary choice, and the user must be able to decline just as easily as they can give their consent.

Alternative legal bases to consent

When a company wants to process personal data about its customers or employees, it will often rely on the contractual relationship as the legal basis under Article 6(1)(b), or on the company's legitimate interests under Article 6(1)(f).

Contract

The contract legal basis is used for all processing that is necessary in order to fulfil an agreement between the company and the customer, including processing of personal data leading up to and following the conclusion of a contract. It would therefore not make sense to use consent in this context, since the contract legal basis provides better conditions for fulfilling the purpose of processing the personal data, such as delivering a parcel to a customer.

Legitimate interests

Your organisation may have an interest in processing a customer's data for other purposes, for example to protect the business against theft (CCTV surveillance) or misuse (logging user behaviour in an IT system). This processing can be carried out on the basis of the company's legitimate interests. In this context, it would not make sense to ask the customer for consent, since the processing takes place with the aim of ensuring that the customer does not harm the company.

Consent and your GDPR compliance

When maintaining your record of processing activities, you should register the legal basis you use for each of your processing activities, such as consent.

You should also have a procedure in place for handling withdrawals of consent for each of the processing activities that rely on this legal basis.

This procedure can be uploaded to your GDPR compliance software and linked to the specific processing activity where consent is used. Without such a procedure, it is doubtful that you will be able to meet your obligations over time.

Want to see how .legal can help you manage consent and other GDPR obligations? Book a demo and let us show you the platform.

Frequently Asked Questions about Consent and GDPR

What is consent under GDPR?

Consent under GDPR is a freely given, specific, informed, and unambiguous indication by the data subject that they agree to the processing of their personal data for a specific purpose. It must be demonstrable, and it must be possible to withdraw it at any time.

Is consent the only legal basis for processing personal data?

No, consent is just one of six possible legal bases under Article 6 of the GDPR. The others are: performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, and the legitimate interests of the data controller.

When is consent valid under GDPR?

Consent is valid when it can be demonstrated to have been given, has been given for a specific purpose, has been given freely without coercion, and can be withdrawn by the data subject. For sensitive personal data, explicit consent is required under Article 9(2)(a).

Can a person withdraw their consent?

Yes, consent can always be withdrawn. Withdrawal must be as easy as giving consent. Once consent is withdrawn, processing of the relevant personal data must cease, unless there is another legal basis for continuing the processing.

Can employers use consent to process employees' personal data?

This is generally discouraged, as employees may feel pressured to give consent out of fear of consequences for their employment. Consent given under duress is invalid. Employers should instead consider legal bases such as contract or legal obligation.

When should you use consent rather than legitimate interests?

Consent is appropriate when the individual must actively opt in to something, such as newsletters, marketing cookies, or entering a competition. Legitimate interests are often more appropriate when processing takes place in the company's interest, such as CCTV surveillance or IT system logging.

Can consent be used to process sensitive personal data?

Yes, explicit consent from the data subject is one of the possible legal bases for processing sensitive personal data under Article 9(2)(a) of the GDPR. Private companies otherwise have limited options for processing sensitive personal data.

What must you document when using consent?

You must comply with your information obligations, document that consent was properly obtained, and handle any withdrawals. This requires a clear procedure for each consent-based processing purpose and registration in your record of processing activities.

What happens when consent is withdrawn?

Processing of the personal data based on consent must stop. You must have a clear procedure in place and ensure that processing ceases within a reasonable timeframe. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

When should you use contract as the legal basis rather than consent?

The contract legal basis should be used when processing is necessary to fulfil an agreement with the customer, such as delivering a product or service. It provides better conditions than consent and removes the need to obtain and manage a separate consent.

Still unsure?

Ask Johannes directly, he runs most demos personally

Book him here

.legal compliance platform Manage consent and GDPR compliance with ease

Use .legal to register consent as the legal basis for your processing activities, document withdrawal procedures, and maintain a complete record of processing.