🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: Understand everything about consent

Home GDPR: Understand everything about consent

According to the Le Robert dictionary, "consent" is defined as the acquiescence given to a project, the decision not to oppose it.
Within the framework of the GDPR the definition of this term is not different only a little more complex.

So have a coffee, sit comfortably in your seat and we'll explain everything to you in 5 minutes! ☕️

The response to the survey "I agree to receive promotional offers from company X and its business partners? ‘is it a valid form of consent? "

To introduce the subject, we offered you a survey on February 22 on our LinkedIn page, asking you if agreeing to receive promotional offers from a company and its business partners is a valid form of consent. Well done! Out of 126 voters, 178% of you have "No? ". Indeed, it must be a manifestation of the will of the person concerned.

The 6 legal bases provided for by the GDPR

Consent is one of the 6 legal bases provided for by the GDPR. Choosing your legal basis is mandatory for the processing to be lawful. This also determines the rights that the persons concerned will be able to avail themselves of for the processing in question.
? The rights will not be the same depending on the legal basis chosen.

  • Consent
  • The contract
  • Legal obligation
  • The public interest mission
  • Safeguarding vital interests
  • Legitimate interest

We are in the process, during our blog articles and our 1 minute episodes to understand everything, of presenting and explaining in detail each of these legal bases. Follow us so you don't miss any. Next week we will discuss the contract!?‍?

Understand the principle of consent within the meaning of the GDPR?

Article 4.11 of the GDPR defines consent as a manifestation of will, emanating from the data subject and which must be free, specific, informed and unambiguous.

Indeed, it allows people to accept or refuse that their data is processed.

The data controller himself chooses the legal basis for the processing. With the GDPR, the data controller judges the means and purposes of the processing himself. He justifies his choices to respect the principle of accountability.

How to obtain people's consent?

The CNIL advises obtaining written consent. For example by attaching an opt-in type check box at the bottom of your form, such as "I accept that my data will be processed by company X so that it can send me commercial prospecting by email".

For this legal basis to be valid, it must meet the four aforementioned criteria:

  • Free, that is to say that consent must be given without the person being constrained or influenced in their choice,
  • Specific means that it only applies for a single predefined purpose.

If, for example, you want to send a newsletter, but also emails offering promotional offers and you transfer people's data to your partners so that they too can send commercial prospecting. You must obtain consent from individuals for each of these purposes. You should not use a sentence like "I accept that my data will be processed to receive our newsletter, our commercial prospecting and that of our partners". You must collect it from people by offering them three separate check boxes, one for each processing purpose.

  • Informed, this criterion is consistent with the obligation to inform the people concerned by the processing and to be transparent (link to the article),
  • Univocal, that is to say that consent must be a positive act. The CNIL considers, for example, that the consent obtained through a pre-checked box is not unambiguous. The person must clearly be aware that they are giving their agreement, there is no possible doubt here or misleading wording (double negation, opt-out, etc...)

The data controller must always ensure that data subjects can withdraw their consent at any time, easily and free of charge. This is the "right to withdraw consent". Furthermore, according to Article 7 paragraph 1 of the GDPR, the data controller must be able to prove that the person's consent has been validly obtained. The data controller may therefore keep a register of consents. This document lists all consents collected in compliance with the GDPR.

Special cases

According to the CNIL, in certain cases, the collection of consent must meet specific requirements.?

  • Consent of minors:
    Article 8 of the GDPR sets out the conditions applicable to the consent of children in the context of information society services. It provides that the consent of a minor aged at least 16 is lawful. Indeed, for minors under 16 years of age, consent is only lawful provided they have obtained the consent of the holder of parental authority.
    The GDPR, however, leaves States free to vary this age limit provided that it is not less than 13 years old. Thus, in France, the consent of children aged over 15 is lawful.
  • Explicit consent:
    These are cases where consent is not necessary under the legal basis for the processing, but is required under another GDPR obligation. This is particularly the case when it comes to the processing of sensitive data or to enable fully automated decision-making. Consent must then be explicit. That is to say, the data controller must put in place specific mechanisms to collect consent from individuals on these specific points. The CNIL gives examples of ways to obtain explicit consent:
    • Provide people with a box dedicated to obtaining consent for the processing of sensitive data,
    • Collect this legal basis through a written declaration signed by the person.

Data Comply One (formerly Mission RGPD) regarding consent

Are you having trouble with the legal bases? Does managing your compliance seem complex to you? Do you feel lost?

✅ Data Comply One (formerly Mission RGPD) makes it easier for you to manage your requests to exercise rights. With this tool you can provide people with an automated rights exercise form. People fill out the fields of the form themselves and provide the information necessary to manage their request. Once the form is completed and sent, the request to exercise rights is automatically transposed into the platform.

Don't waste any more time, it's so simple!

Request a demo
Other articles
on the same subject