Lexicon > Consent

IT Lexicon


Consent is one of the six legal bases for processing personal data under the GDPR.

Nevertheless, consent, in order to be validly considered as a legal basis for the processing of the data subject’s personal data, must meet certain conditions.

Indeed, consent is only an appropriate legal basis if the data subject has real control and choice over whether to accept or reject the proposed conditions or the opportunity to refuse them without suffering harm.

Thus, consent is understood as any manifestation of will:

  • Free;
  • Specific;
  • Illuminated;
  • And univocal by which the data subject accepts, by a declaration or a clear positive act, that personal data relating him/her be processed.

In determining whether consent is freely given by the data subject, account must be taken of any coercion reasonably felt by the data subject or any significant adverse consequences that he or she might suffer if he or she does not consent. The notion of imbalance between the controller and the data subject must also be taken into consideration.

In any case, the obligation to consent to the processing of personal data other than those strictly necessary limits the choice of the data subject and prevents free consent.

Consent is specific when the controller ensures:

  • The specification of purposes as a guarantee against misuse;
  • The detailed nature of the consent requests and;
  • The clear separation of information related to obtaining consent to data processing from information about other matters.

It is thus excluded that the collection of the consent is drowned in the acceptance of general terms of sale or use of a Web site.

Consent is said to be informed when the data subject is provided with information about the processing in a clear, accessible and understandable form before giving consent to the controller. The informed nature of the consent thus contributes to the right to information of the person concerned.

Finally, consent is said to be unambiguous when the data subject makes a clear positive statement or act, such as an opt-in, in order to consent to the processing of his/her data. It must be clear that the data subject has consented to the processing. Consent cannot therefore be implicit, and in particular cannot be based on an opt-out mechanism.

In cases where the processing is based on consent, the controller must be able to demonstrate at any time that the data subject has properly given his consent to the processing of his personal data.

GDPR Point

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

This could include ticking a box when visiting a website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute consent “.

Recital 32 of the GDPR

Point of jurisprudence

The Council of State ruled that: ” the contested device, consisting of a thermal camera […] constitutes processing of personal data which, in the absence of explicit and free consent or, in any case, of textual authorization, is prohibited by Articles 6, 7 and 9 of the General Data Protection Regulation “.

Council of State, June 26, 2020, N°441065

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.