Ch 7.1 - Background

Background & the role of consent

The GDPR requires controllers to process personal data lawfully, fairly and in a transparent manner. Article 6 and Article 9 set out the criteria for lawful processing; Article 7 sets the conditions for relying on consent; Article 8 adds rules for children. Although consent is often seen as central to data protection, it is one of several alternatives, not the default, and is frequently not the most practical basis.

The first principle of processing is that it be lawful, fair and transparent. To be lawful, a controller must point to a basis in Article 6 (and, for sensitive data, also Article 9). Article 7 governs how consent must be obtained; Article 8 adds protections for children.

Consent is not the default

In GDPR debates consent was seen as the main route to lawful processing, but the final text treats it as just one of several alternatives. Beyond specific activities such as marketing, consent is frequently not strictly required and is often not the most practical basis.

Article 6 - the six lawful bases for ordinary personal data
Article 7 - conditions for valid consent
Article 8 - children and information society services
Article 9 - conditions for sensitive (special-category) data
Article 10 - criminal convictions and offences data
Article 11 - processing not requiring identification

Key terms - quick answers

What is “GDPR”?

General Data Protection Regulation - the EU regulation governing the processing of personal data.

What is “Article 6”?

The article listing the six lawful bases for processing ordinary personal data.

What is “Article 9”?

The article governing processing of special-category (sensitive) data - prohibited unless an exception applies.

What is “Article 7”?

Sets out the conditions that must be demonstrated when a controller relies on consent.

← Accountability and telling the principles apart Consent - definition and the four conditions →