Obtaining consent to process someone’s personal data has always been required. However, the GDPR makes it harder for data controllers to obtain it and easier for data subjects to retract it. As stated in the regulation, approval must be given freely, it must be specific, informed and unambiguous. It will not be valid if bundled with other matters, such as in the general terms, it has to be distinguishable from all other matters. Parental consent will be needed in order to process children’s data – at the moment the age limit is set at 16, but there are ongoing discussions for a lower age limit, but not below 13.
So, how exactly does this work?