Consent - definition and the four conditions
Consent is the first Article 6 basis. It is defined as any freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or clear affirmative action, agreeing to processing. The burden is on the controller to demonstrate consent was given. Pre-formulated declarations must be in clear, plain, intelligible language with no unfair terms. The EDPB stresses consent is only appropriate where the data subject has genuine choice and control.
The first lawful basis is that the data subject has given consent for one or more specific purposes. The controller bears the burden of demonstrating consent was given. Where the consent declaration is pre-formulated (the usual case), it must be intelligible, easily accessible, in clear and plain language, with no unfair terms, in line with consumer protection rules.
| Condition | What it requires |
|---|---|
| Freely given | Genuine choice; able to refuse or withdraw without detriment; not bundled or tied to a contract |
| Specific | Given for the particular processing operation; separate consent per purpose (granularity) |
| Informed | All necessary details given in understandable language so the subject grasps the effect |
| Unambiguous | A statement or clear affirmative act leaving no doubt of intention; pre-ticked boxes fail |
The onus is always on the controller to demonstrate the data subject consented. Uncertainty is construed against the controller.