These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the
General Data Protection Regulation (hereafter: GDPR).
The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon Opinion 15/2011 on consent.
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the
GDPR. When initiating activities that involve processing of personal data, a controller must always
take time to consider whether consent is the appropriate lawful ground for the envisaged processing
or whether another ground should be chosen instead.
Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is
offered a genuine choice with regard to accepting or declining the terms offered or declining them
without detriment. When asking for consent, a controller has the duty to assess whether it will meet
all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent
is a tool that gives data subjects control over whether or not personal data concerning them will be
processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for
processing, rendering the processing activity unlawful.