Consent

Consent is a freely given, specific, informed and unambiguous indication by which a data subject agrees to the processing of their personal data. It is one of six lawful bases in GDPR Article 6 and imposes strict requirements on how organisations obtain and document it.

Back to Dictionary

Table of Contents

    What is consent?

    GDPR Article 4(11) defines consent as a freely given, specific, informed and unambiguous indication of the data subject's wishes. The definition sounds straightforward, but in practice the requirements are more demanding than many organisations realise.

    Freely given means the data subject must have a genuine choice. If consent is a precondition for a service that does not require the data to function, it is not freely given. Specific means you cannot ask for broad consent covering multiple unrelated purposes; each purpose requires its own consent.


    Pre-ticked boxes do not count:     GDPR requires an active, affirmative action from the data subject. A box that is already ticked does not constitute valid consent. The Court of Justice of the EU confirmed this in the Planet49 ruling.

    The four requirements for valid consent

    • Freely given: The data subject must not be under pressure or suffer negative consequences for refusing.
    • Specific: Consent must be tied to a defined purpose. Bundled consent for multiple purposes is invalid.
    • Informed: The individual must know who is processing data, for what purpose and which data are concerned.
    • Unambiguous: There must be a clear, affirmative action such as a click or a signature. Silence or inactivity does not constitute consent.

    When should you use consent?

    Consent is one of six lawful bases in GDPR Article 6. It is not always the best choice because it can be withdrawn at any time. Before relying on consent, consider whether a more stable basis such as legitimate interest or contractual necessity applies.

    Consent is typically appropriate for:

    • Marketing communications via e-mail and SMS
    • Cookies and online tracking beyond strictly necessary cookies
    • Processing of special categories of personal data (sensitive data)
    • Sharing data with third parties for purposes not necessary for the service

    Withdrawal of consent

    The data subject may withdraw consent at any time, and it must be as easy to withdraw as it was to give. If consent was obtained with a single click, withdrawal must also be possible with a single click.

    Withdrawal does not affect the lawfulness of processing carried out while consent was active. However, once consent is withdrawn, you must cease the processing immediately.

    Documentation

    You must be able to demonstrate that consent was given. This means you should record:

    • Who gave consent
    • When it was given
    • What they were informed about at the time
    • How consent was obtained (the mechanism used)

    Ensure that your records of processing activities reflect which processing operations rely on consent as their lawful basis.

    Frequently Asked Questions about Consent

    What is consent under GDPR?

    Consent is a freely given, specific, informed and unambiguous indication by which a data subject agrees to the processing of their personal data. It is one of six lawful bases in GDPR Article 6.

    Can consent be withdrawn?

    Yes. The data subject may withdraw consent at any time. Withdrawal must be as easy as giving consent. It does not affect the lawfulness of processing carried out before the withdrawal.

    When should consent be used as a legal basis?

    Consent is appropriate when no other lawful basis applies. It is commonly used for marketing, cookies and processing of special categories of data. Avoid relying on consent if a more stable basis such as legitimate interest or contract applies.

    Are pre-ticked boxes valid consent under GDPR?

    No. GDPR requires an active, affirmative action from the data subject. Pre-ticked boxes do not constitute valid consent, as confirmed by the CJEU in the Planet49 ruling.

    What must organisations document about consent?

    Organisations must record who gave consent, when it was given, what the individual was informed about at the time, and how consent was collected. This evidence must be available in case of a supervisory authority audit.

    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl