Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Champion

Article 29 WP publishes a new Guideline on Consent under the GDPR

These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the
General Data Protection Regulation (hereafter: GDPR).

The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon Opinion 15/2011 on consent.
Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the
GDPR.  When initiating activities that involve processing of personal data, a controller must always
take time to consider whether consent is the appropriate lawful ground for the envisaged processing
or whether another ground should be chosen instead.
Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is
offered a genuine choice with regard to accepting or declining the terms offered or declining them
without detriment. When asking for consent, a controller has the duty to assess whether it will meet
all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent
is a tool that gives data subjects control over whether or not personal data concerning them will be
processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for
processing, rendering the processing activity unlawful.

2 Replies

I suspect that consent will be one of the more difficult articles to comply with in GDPR, the choice would be offered at every step of the processing, so it should ideally be embedded into the applications so the data owner has visibility and the control to deny access at any point.
Newcomer III

GDPR defines ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. On top of that, there are conditions for consent to be valid listed in Article 7.


The guidance from WP29 amplifies the importance of demonstrating these for consent to be lawfully leveraged upon.