Consent

The consent of the data subject is one of the legal bases or ‘conditions of lawfulness’ on which the processing of personal data may be based.

Conditions

To constitute a valid basis for lawfulness, consent must be free, specific, informed and unambiguous. This means that consent must be capable of being withdrawn if the person concerned changes his or her mind.

Free consent: The individual must have genuine freedom of choice and therefore not be disadvantaged by any refusal.

Specific consent: Consent must relate to identified processing and purposes.

Informed consent: Before obtaining consent, the data controller must inform the data subject of the main characteristics of the processing for which consent is sought. Informed consent goes hand in hand with specific consent.

Unambiguous consent: Consent is the result of a clear positive act (a declaration or a gesture), and can under no circumstances be tacit or pre-filled/pre-ticked.

Consent will not always be the appropriate condition for lawfulness

Given these conditions, consent will not always be the appropriate condition of lawfulness, for example in the following situations:

  • obtain consent for the use of data for which there is a legal obligation. For example, an obligation arising from AML/KYC regulations or regulations relating to social protection. In this case, the appropriate lawfulness condition will be compliance with a legal obligation to which the data controller is subject (Article 6.1.c of the GDPR).
  • obtaining consent for the use of data essential to the performance of a contract. For example, obtaining an address to carry out a delivery service does not require consent, but rather the performance of a contract. In this case, the appropriate condition of lawfulness will be the performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the data subject's request (Article 6.1.b of the GDPR).
  • obtaining ‘global’ consent for the use of a group of data within which only a certain number fall within the scope of consent and the rest fall within another basis of lawfulness. In this scenario, consent, which could be a valid basis of lawfulness for some of the data collected, is not validly obtained: it is neither free, specific nor informed. In fact, this consent would be ‘forced’ because it would be hidden in a list of data that cannot be refused, the legal basis being different. This scenario also raises questions about compliance with the principle of fairness set out in the GDPR.

The specific case of children's consent

If the data processed relates to children under the age of 16, in particular for data collected via a commercial website (e.g. online games, social networks), it is necessary to obtain the consent of their parents or legal guardians.

Information for children must be easy to understand and formulated in simple, clear terms.

Dernière mise à jour