Consent management under the GDPR

business people

Consent management under the GDPR

Consent management is probably one of the hottest topics in the GDPR. It is not a new subject, but the requirements imposed by the Regulation, together with high fines for non-compliance, make it a very important topic. On our website, we tackled the subject on more than one occasion – both in the main topic “How does consent work?” and more in detail in our knowledge base. In this article we will discuss the topic more in detail, helping you understand the dos and don’ts of consent management within the GDPR.

Consent according to the GDPR

Article 4(11) of the GDPR defines consent as:

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

Article 7 further discusses consent, adding some specific provisions such as:

  • keeping records to demonstrate consent
  • withdrawing consent should be as easy as giving it, at any time
  • if a contract conditional on consent exists, it is essential that consent is given freely
  • all consent requests should be clear

For those processing sensitive personal data, Article 9 adds another requirement: consent must be explicit.

If you’re feeling confused by all these terms, don’t worry! You’re not the only one. We’ll explain each of them throughout this article.

Freely given

If you are a controller and your legitimate basis for processing personal data is consent, data subjects must be able to choose whether or not they want their data to be processed. It goes without saying that under no circumstances should consent be coerced. To make sure data subjects truly have a choice, consent will not be used when there is an imbalance between controller and data subject – such as when the controller is a public authority. Also, performance of contracts or other services should not be based upon consent unless it is necessary for the contract itself.


The next requirement stated in Article 4 is that consent should be specific. This means data subjects need to be told all purposes for processing their personal data before they give their consent. As a result, whenever additional purposes arise, obtaining additional consent may be required.


For consent to be considered valid, data subject should be informed of the controller’s identity, the purpose of the processing and how processing might affect them. The language used to communicate all this information should be easy to understand by someone without legal knowledge.


Consent management should be performed through positive, affirmative action so that the wishes of the data subjects are clear. This also means that silence, pre-ticked boxes or inactivity are not valid consent.

Explicit consent – processing special categories

Special categories of data include:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade-union membership
  • genetic or biometric data
  • data concerning health, sex life or sexual orientation

According to Article 9 of the GDPR, processing any of these types of data is prohibited. However, there are a number of exceptions. In order for consent to be considered ‘explicit’ it must involve a clear, affirmative action by the data subject. Controllers will need to adapt to a strict level of compliance when processing special categories of data. We will discuss more about this topic in a future article.


Children are even today a special category and attention is required when processing their data. If the child is younger then 16, parental consent is required. Member states may be allowed to lower this threshold to 13 years old, but not lower. Also, the language in which consent is requested should be easy to understand for a child.

What about consent obtained prior to the GDPR?

So, lets say you are processing data based on consent obtained prior to the GDPR. You’re probably wondering if you need to re-obtain it. Short answer is – not necessarily. However, you need to be able to provide records that should how you obtained consent.

Is consent always mandatory for processing?

In short, no. Consent is one of several lawful basis for processing, but it is not always the best or the easiest to obtain. Alternatives include: contracts, compliance with legal obligations, vital interests, serving a public task and other legitimate interest (including commercial benefits) as long as the individual’s rights and freedoms are respected. Legitimate basis for processing are an interesting topic that we will cover later on, on our blog.

To conclude…

Consent management is definitely not an easy task, but it is not an impossible one either. The ICO recently released a GDPR consent draft guidance . The replies they received were contradictory. Many believe the number of tick boxes proposed will only confuse customers. This would be in contradiction with the GDPR’s requirement that consent be required in an easy form for the data subjects. One thing is certain – there is still a lot of work to be done before we can reach a consensus and make consent management but also GDPR compliance in general, an easy task.



About the author

Laura Vegh is the Chief Security Officer at, a passwordless security solution. She has a PhD in Systems Engineering, focused on cyber-physical systems security.