Ch 7.2 - Choosing the basis
Consent vs legitimate interests - choosing correctly
Exam scenarios frequently turn on consent vs legitimate interests. Consent gives the subject control but can be withdrawn at any time, forcing the controller to stop that processing; it suits short-term, optional, marketing-type activities. Legitimate interests is more durable for long-term processing but requires a balancing test and an LIA, and the subject keeps a right to object. Misrepresenting the basis - saying processing rests on consent while actually relying on another basis - is fundamentally unfair per the EDPB.
| Feature | Consent (6(1)(a)) | Legitimate interests (6(1)(f)) |
|---|---|---|
| Subject control | High - subject chooses and can withdraw anytime | Lower - subject has a right to object, not a veto |
| Effect of withdrawal/objection | Controller must stop that processing | Controller may continue if it shows compelling legitimate grounds |
| Documentation | Record of consent (demonstrate obligation) | LIA / balancing test documented |
| Best for | Short-term, optional, e.g. marketing sign-ups | Long-term processing within reasonable expectations |
| Public authority | Hard - imbalance (Recital 43) | Not available for their tasks |
Don't dress up the wrong basis
The EDPB says it is fundamentally unfair to tell individuals their data is processed on the basis of consent while actually relying on another basis. If you rely on consent, you must respect a withdrawal and stop.
Key terms - quick answers
What is “Withdrawal of consent”?
The subject's right to revoke consent at any time, after which the controller must stop the consent-based processing.
What is “Legitimate interest assessment (LIA)”?
The documented three-part test justifying reliance on legitimate interests.