Legal basis of consent
If you want to collect and use personal data, you need a legal basis from the General Data Protection Regulation (GDPR). One of the legal bases from the GDPR is that people have given consent for processing their personal data. On this page you can read, among other things, which requirements valid consent has to meet, how you ask for consent, and how you demonstrate that you have consent.
On this page
Requirements for consent
The GDPR contains a number of requirements that the legal basis of consent has to meet. Does the consent not meet these requirements? Then the consent is not valid. In that case, you are not allowed to process the personal data.
Consent must meet the following requirements:
- freely given;
- unambiguous;
- informed;
- specific.
Freely given
People must have given their consent 'freely' (in freedom). This means that you are not allowed to pressurise someone into giving consent. For example, by disadvantaging someone if that person does not give consent.
Pay attention to power relationships here. Employees will find it hard to refuse a request for consent from their employer, for example.
Unambiguous
Consent must be given by a clear affirmative action. For example, a (digital) written statement or an oral statement. It must in any case be very clear that consent was given.
You may not assume that someone gives consent implicitly. The use of pre-checked boxes is therefore not permitted.
Informed
You must inform people in advance about:
- the identity of you as an organisation;
- the purpose of every processing for which you ask consent;
- which personal data you collect and use;
- the right that people have to withdraw their consent.
You must offer the information for asking consent in an accessible form. The information must also be understandable, to ensure that someone can make a well-informed choice. This means that you have to use clear and simple language.
Specific
Consent must always apply for a specific processing and a specific purpose. Do you process data for several purposes? Then you have to inform people about them and ask consent for each separate purpose. The purpose may not change along the way.
Asking for consent
The GDPR does not prescribe exactly in which form you have to ask for consent. You are therefore free to determine how you ask for consent.
One of the ways to ask for consent is to have someone complete and sign a written statement.
In an online environment, you can ask people to give their consent by, for example:
- actively ticking a box;
- clicking a button or a link;
- completing an electronic form;
- sending you an email;
- placing an electronic signature;
- uploading a scanned document with signature.
An oral statement may also be sufficient for obtaining valid consent. But in this case, it may be difficult for you to prove that you have actually obtained consent.
You can obtain consent with a recorded telephone conversation, for example. You must provide information in that conversation, though. And ask for a specific confirmation from the person. For example, that someone presses a button or clearly says ‘yes’ or ‘no’.
Demonstrating that you have consent
Under the GDPR, you have a duty of accountability. In order to demonstrate valid consent, only recording the consent is not enough. You also must be able to show based on what information someone has given the consent.
Do you ask consent online from people for processing their personal data? Then you can record the information about the website visit in which they gave the consent. You can combine this information with:
- documentation about the way in which you obtain and record consent;
- a copy of the information that people received before giving consent.
Finally, you have to ensure that you have sufficient data with which you can demonstrate a link between the processing and someone's consent. Pay attention that you may not collect more data than necessary for this purpose when collecting these data.
Withdrawing consent
People have the right to withdraw their consent. This must be as easy as giving consent. Make sure, therefore, that people can easily withdraw their consent.
What is not permitted, for example: people can give consent online with 1 click or swipe, but have to call the customer service or send a letter if they want to withdraw their consent.
Consent and children
Do you want to process personal data of children? And do you want to rely on the legal basis of consent for this processing? Then you have to pay attention to these points:
Offer extra protection
The GDPR gives extra protection to children under the age of 16. Because children cannot or cannot properly assess the risks of a data processing.
Make sure that you have valid consent
Children under the age of 16 cannot give valid consent for processing their data. Consent is only valid if one of the parents or carers of a child gives the consent. And if you additionally meet the usual requirements for consent.
Consent in the case of online processing
Do you process data of children online? For example, through an app, an online game, an online shop or via social media? Then you are allowed to do this for children under the age of 16 only if you have the consent of one of the parents or carers.
This requirement specifically applies if you make a child an offer that falls under ‘information society services’. That is, if you want to use personal data of children for marketing purposes or for creating personality or user profiles. And also if you want to collect personal data about children when they use services directly provided to children.
It can be concluded from the GDPR that it is the intention that consent from the parents or carers is not required for free helplines and advisory services directly offered to children.
Consent in the case of offline processing
Do you process data of children offline? For example, for an order in a physical shop? This is also only allowed in the case of children under the age of 16 if one of the parents or carers has given consent for this purpose.
Check who has given consent
Under the GDPR, you are obliged to check whether the consent was given by one of the parents or carers of the child. You must be able to demonstrate this if the Dutch Data Protection Authority asks for it.
Note: Do you target children in another EU Member State? The GDPR offers EU Member States the option to set the limit for consent in the case of online processing operations at 13 years. In the Netherlands, the age limit of 16 years applies.
Inform in understandable language
The information that you give about the personal data processing must be simple, accessible and understandable for the child. Meaning: in clear and simple language and with visual support where necessary.
Explicit consent
If you want to process special categories of personal data of someone, you need explicit consent from that person.
Note: Does the law already say that you are allowed to process special categories of personal data? Then you do not need additional explicit consent.
Explicit consent is a heavier form of consent. This makes explicit consent (Article 9 GDPR) different from the ‘normal’, unambiguous consent that is one of the legal bases for being allowed to process data (Article 6 GDPR).
Explicit consent is subject to more requirements than unambiguous consent. The term ‘explicit’ refers to the way in which people express their consent.
It means that someone has to make an explicit statement of consent. It is obvious that you arrange this with a written statement from that person. For the avoidance of any doubt, you can also have this statement signed by that person.
But this is not the only way in which you can obtain explicit consent.
- In a digital or online context, someone can provide the required statement by completing an electronic form, sending an email, uploading a scanned document with signature, or placing an electronic signature.
- You can also offer visitors of your website a screen on which they can give their explicit consent by clicking ‘yes’ or ‘no’. Note: The consent must be clearly formulated in the accompanying text. For example: ‘I hereby give consent for processing of [fill in here which personal data it concerns].’ You must also give your visitors sufficient information about what you do with their data if they give consent.
- In theory, an oral statement may also be sufficient, but in that case it may be difficult for you to prove that you have met all requirements for valid explicit consent.
For more information, view the EDPB Guidelines 05/2020 on consent under Regulation 2016/679, chapter 4.
Consent and the government
Do you want to know if you, as an administrative body, can use consent as a legal basis? This is usually not possible. However, as an administrative body you may nevertheless end up in a situation in which asking for consent is desirable: you want to make sure that people in a vulnerable position get help from other organisations. Below you can read when valid consent may apply in a situation.
Freely given
One of the requirements for consent is that it is freely given. As a result, consent as a legal basis is usually not possible for the government. After all, citizens often depend on the government. For example, if they want to apply to the municipality for a facility (see Recital 43 of the GDPR).
Legal basis for the government
When processing personal data in the performance of government tasks, administrative bodies can usually rely on a legal basis specifically applicable to the government. That legal basis then follows from legislation. In those cases, the legislator also has to ensure that the data are protected properly: by carefully assessing what is necessary, and also by determining clearly what is and is not allowed (see Article 6, paragraph 1, point e, and paragraph 3 of the GDPR).
As a rule, asking for consent is not necessary for an administrative body and is often not suited to the relationship between citizen and government. In practice, administrative bodies therefore exercise caution in asking for consent – and rightly so.
Consent desirable
However, as an administrative body you may nevertheless end up in a situation in which asking for consent is desirable. For example, when you want to provide personal data of people in a vulnerable position to other organisations that (probably) do not yet know these people to ensure that these people can get help from those organisations. In such a case, the provision is not necessary for the performance of your own statutory task.
The purpose of the GDPR is not to deny free citizens the option to give consent for a processing of which it is evident that it is in the interest of the citizen – also according to the citizen themselves.
On the other hand, legislation offers citizens protection. And the intention is not that administrative bodies, bypassing these safeguards, are given the opportunity to force unwanted processing operations on free citizens under the pretext of ‘consent’. Not even if it is clear that, according to the government or objectively, the envisaged help is in their interest.
When are you, as an administrative body in a situation in which asking for consent is desirable, actually allowed to do this? Giving free consent to governments is not by definition impossible. In certain situations it is conceivable that there is real free will. If that is the case, you can provide the data on the basis of consent. Has someone given you explicit consent? Then you are allowed to provide special categories of personal data.
But when does such situation occur? The Dutch Data Protection Authority (Dutch DPA) has made an overview of indications for situations in which giving free consent to an administrative body seems possible.
Indications for free consent to an administrative body
The Dutch DPA sees the following indications for free consent to an administrative body:
- The processing for which you ask consent is in the interest of the data subject. The processing is (additionally) not in your interest.
- You have not been charged with representing that interest.
- You ask for consent in response to a request for assistance in an individual case, which has proven concrete. Or in response to a request for assistance of which it is known in practice that this is common for this category of data subjects. You do not actively investigate the existence of possible requests for assistance.
- You do not conduct a policy that is aimed at obtaining as much consent as possible in certain situations. Or at achieving a certain number of consent per period of time.
- It is plausible that the data subject, or the category of data subjects, will usually not (be able to) make contact with the appropriate aid organisation themselves.
- You ask the data subject for consent during personal (oral or written) contact.
- You do not insist on giving consent.
- You offer the data subject an appropriate time for reflection before giving consent.
- The consent is not asked in a large-scale or fully automated process. In practice, the large scale and speed may compromise freely given consent.
- When asking for consent, you inform the data subject in an appropriate manner. And explain properly how you share data with another organisation, for which purpose this is done, and which data it concerns.
Although this actually pertains to the requirement that the data subject must be informed about the data processing for which that person gives consent (Article 4, point 11 of the GDPR), the data subject will also be unable to give consent freely if that person has not been informed properly.
Attention for other requirements for consent
Note: The requirement ‘freely given’ is not the only requirement you have to meet. Other requirements for valid consent within the meaning of the GDPR also apply (see Article 4, point 11 and Article 7 of the GDPR). For example:
- You have to register both the oral and the written consent properly. This is part of your duty of accountability (see Article 7, paragraph 1 of the GDPR).
- Data subjects must be able to withdraw their consent easily (see Article 7, paragraph 3 of the GDPR).
- Before data subjects give consent, you must inform them that they can withdraw their consent at any time. And that they do not have to say why they do this (see Article 7, paragraph 3 of the GDPR).
- Has a data subject withdrawn their consent? Then you will also have to communicate this to the organisation to which you provided the data subject's personal data (see Article 19 in conjunction with Article 17, paragraph 1, point b of the GDPR).
When in doubt, ask your Data Protection Officer (DPO) for advice.).