End User Consents Under the GDPR – Part 2: A Checklist for Data Controllers

Mar 9, 2017

The GDPR defines that consent must be freely given, specific and informed as well as unambiguous. This basically means that the end user needs to have a genuine choice whether to give his or her consent or not. Thus, the end user must be able to refuse or withdraw the consent without detriment. The consent needs to be clearly defined for a specific purpose meaning that a consent does not apply to an open-ended set of processing activities. The end user must also be provided with proper information to know what he or she is getting into. Moreover, the consent should be given in a clear manner so that the data controller can demonstrate that a valid consent has been given.

Here is a checklist of some golden rules for controllers to consider when collecting consents:

  1. Do not use pre-ticked boxes. Although pre-ticked boxes are still commonly used in various online services, they are explicitly forbidden in the GDPR.
  1. Do not interpret silence or inactivity as a consent. Any statement or conduct which clearly indicates the end user’s acceptance is allowed. An end user can give his or her consent, for example, by ticking a box when visiting an internet website or choosing technical settings.
  1. Inform the end user of that he or she is giving her consent and the extent of the consent. The end user should also be informed the identity of the data controller as well as the purpose(s) of the processing. Remember to use clear and plain language while collecting consents.
  1. Do not hide the consent in the privacy policy or in the terms of use. Consent must be collected in a way which is clearly distinguishable from the other matters. If you are collecting consent by electronic means, it should not unnecessarily disrupt the use of service.
  1. Remember that the end user must be able to withdraw consent at any time and the mechanism to do that should be as easy as it was to give the consent.
  1. Is the processing of personal data for which you are collecting a consent necessary for the performance of your service? The provision of service should not be made conditional on consent unless it is necessary for the performance of the service.
  1. Be extra careful if you are collecting sensitive data. Processing of the sensitive data is prohibited unless receiving an explicit consent from the end user.

You should maintain and implement a comprehensive consent management framework, which covers the whole processing lifecycle based on end user consents to be able to demonstrate compliance with the GDPR. Executing this usually requires professional help.

The third part of our blog series includes a checklist for the end users to consider while giving consents in the online environment. Read also the first part about the issues relating to consent.



Sini Mickelsson, Privacy Specialist