Consent is one of the six conditions of lawfulness set out in Article 6 of the GDPR that allow data controllers (companies, associations, public authorities or other organisations) to process personal data (of their customers, suppliers, constituents, employees, etc.).
The CNPD notes that this condition of lawfulness is often invoked by data controllers. However, in order to constitute a valid basis for lawfulness, consent must comply with a series of conditions set out in the GDPR. Furthermore, consent is not the only possible condition of lawfulness, which means that it is possible to process data on other grounds (performance of a contract, compliance with a legal obligation, safeguarding vital interests, performance of a task carried out in the public interest, and finally the legitimate interests of the controller, unless the interests or the fundamental rights and freedoms of the data subject prevail).
Based on these findings, the CNPD has updated the section of its website dedicated to consent, in which it intends in particular to specify the conditions under which consent may be considered valid within the meaning of the GDPR.
The CNPD calls on all data controllers to be particularly careful when analysing the lawfulness of their processing, and to obtain valid consent where necessary. The CNPD will pay particular attention to this point in the future.