2.2. Consent requires an indication of the participant’s wishes
Consent is one of the possible bases for the processing of personal data. Valid consent requires a
- specific,
- informed,
- freely given, and
- unambiguous statement.
The data subject can give their consent to a predefined, explicit and legal purpose of processing. If the purpose of processing the personal data changes, the controller must obtain the data subject’s consent again before starting processing.
‘Specific’ consent means that the purpose for which the data is being collected must be specified when requesting the consent. In other words, separate consents must be requested for each purpose of processing, and it is not possible to request the data subject’s consent to all kinds of processing of personal data in advance without specifying to what the data subject is giving their consent.
The consent must also be freely given. That is, the data subject must have a real opportunity to refuse their consent and also be able to withdraw their consent later without any negative consequences. Consent is not freely given if the data subject is in a vulnerable position in relation to the controller. The data subject can be in a vulnerable position if the controller is the data subject’s employer, for example.
Consent must also be clear and unambiguous, so silence, inactivity or a pre-ticked box on a form are not indications of consent. For example, when a child registers for a sports club with an electronic form, the form cannot have a pre-ticked section requesting consent for publishing team photographs on the club’s website or simply state that, by joining the team, the child automatically consents to the publication of their photographs.
