Consent

Here we explain consent, one of the legal bases under the GDPR for processing personal data.

Explained – what does consent mean?

Consent is a legal basis under Article 6(1)(a) GDPR. It means the data subject freely, specifically, in an informed manner and unambiguously agrees to the processing of their personal data. For certain categories of sensitive personal data, explicit consent is additionally required under Article 9 GDPR.

Consent is common in marketing, customer surveys and digital services, where the individual can choose whether to participate. It is, however, critical to remember the right to withdraw consent at any time; if withdrawn, any continued processing must cease unless another legal basis exists. This goes to the heart of the GDPR consent definition and responsible consent for personal data processing.

When does consent become relevant?

Consent is used where no other legal basis applies or where legislation expressly requires it. It is particularly common in digital marketing, email distributions and newsletters, use of cookies, and when publishing images of individuals. Typical scenarios include consent for email marketing and cookie consent compliance, both aligning with informed consent GDPR expectations.

For example, the ePrivacy rules require consent to store or access information on a user’s device, which includes cookies that are not strictly necessary.

Illustration of GDPR consent, showing a user approval checkmark on a form, representing consent management and lawful processing of personal data.

Informed consent GDPR – points to consider

For consent to be valid under the GDPR, the organisation should ensure the following:

  • Consent must be freely given – it cannot be forced or made a condition inappropriately.
  • Consent must be specific and cover a clearly stated purpose.
  • The data subject must be informed about how the data will be used.
  • Consent must be unambiguous and given through an affirmative action.
  • For sensitive data, explicit consent is required.
  • Withdrawing consent must be as easy as giving it (right to withdraw consent).
  • The organisation must document when, how and for what purpose consent was given.

Following these consent requirements GDPR reduces the risk that consent is deemed invalid during a review by the Data Protection Authority. It also supports consent lifecycle management in practice.

Consent

Why is consent important?

Consent is central to giving individuals control over their personal data and enhances transparency in how data is processed. It is rarely the most user-friendly basis because the demands are substantial, but it has a clear role where other legal bases are unsuitable, in line with the GDPR consent definition.

Consent is one of the most misunderstood legal bases. Many organisations rely on it where another basis would be more appropriate, creating unnecessary legal risks. Because consent can be withdrawn at any time, you need a plan for how processing will cease if the basis falls away, especially where informed consent GDPR and explicit consent GDPR apply.

From a trust perspective, properly managed consent demonstrates respect for individual autonomy and privacy, which can strengthen customer relationships and brand value.

Frequently asked questions on consent

Consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes by which they agree to the processing of their personal data. This reflects the GDPR consent definition.

Consent is required where no other legal basis applies or where the law expressly requires it, for example for certain marketing activities and the use of cookies under the ePrivacy Directive. This is key to cookie consent compliance and consent for email marketing.

Valid consent must be:

  • Freely given.
  • Specific to a particular purpose.
  • Informed.
  • Given through an affirmative action.

Explicit consent sets a higher bar than standard consent. How it is implemented should be assessed case by case, but as a starting point, the relevant categories of personal data should be clear to meet explicit consent GDPR expectations.

Yes. Consent can be withdrawn at any time and the organisation must then stop processing if no other legal basis exists, reflecting the right to withdraw consent.

Among other measures, the organisation should:

  • Record the time and method by which consent was given.
  • State the purpose and the information provided at the time of consent.
  • Store the evidence securely and in a traceable manner.

These practices underpin robust consent for personal data processing and support practical consent lifecycle management.

Read more about our services

GDPR Lawyer

Engage Morling Consulting’s privacy counsel when personal data issues need to be addressed in a business-focused manner with clear control of risk. We provide support with governance, contracts, transparency and processor arrangements, ensuring the organisation remains consistent towards data subjects and the Data Protection Authority (IMY).

DPIA

We prepare Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk and require a documented basis for decision-making. We carry out the assessment, identify risks, and put in place mitigations and documentation so the DPIA is auditable, traceable, and ready for review.

Breach management

Morling Consulting supports incident management when a personal data breach must be handled swiftly and correctly. We lead the assessment, remediation plan and documentation, including materials for notification and communications, so the organisation acts in a coordinated way and reduces consequential harm.

Contact

Porträtt av Felix Morling, jurist och legal consultant, kontakta oss för rådgivning.
Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields