When is consent required and when should it be avoided?

1 min read • Simon • GDPR • 11 November 2025

Consent is one of several lawful bases for processing personal data under the GDPR, yet in many situations another basis is better suited to the processing in question. In some cases, however, consent is the only available basis – in others it should be avoided, even if it could in theory be used.

Consent is a last resort where no other lawful basis applies, for example for direct marketing by email to consumers or for processing special category data in certain research projects. Consent should be avoided where:

  • There is a dependency that means consent cannot be regarded as freely given (for example in employment relationships).
  • The processing is in any event necessary to perform a contract or comply with legal obligations.
  • Another applicable lawful basis exists, for example legitimate interests or legal obligation.

A common mistake is to collect consent “just in case”, even though the processing could in fact rely on another lawful basis. This creates unnecessary work because consents must be managed, documented and, in the worst case, withdrawn. The company also risks being left without a valid basis if consent is withdrawn and there is no alternative lawful basis to fall back on. Consent should therefore only be used where the controller can genuinely cease the processing if consent is withdrawn.

To ensure the correct basis is used, the organisation should document the decision on the lawful basis for each processing purpose. It is also important to inform data subjects clearly about which basis applies. A well-founded and correctly chosen lawful basis reduces the risk of deficiencies during any review by the Data Protection Agency. It also strengthens trust among customers and employees.

Using consent when it is not necessary increases the administrative burden and the risk that the processing will be questioned, as the requirements for valid consent are stringent and give the data subject more extensive control than other lawful bases.

At Morling Consulting, our GDPR lawyers help organisations select the right lawful basis for each processing activity – and avoid unnecessary risk.

12 December 2025

How to know when you need support from a commercial lawyer
Read more
The image shows three people in suits sitting and discussing a document.

9 December 2025

How the Anti-Money Laundering Act affects regulated financial activities
Read more
Contract lawyer coordinating and reviewing offer, LOI and final contract through email and digitally signed documents.

5 December 2025

A contract law attorney clarifies the boundary between an offer, a Letter of Intent and a contract
Read more