The AVG has a total of six processing bases for processing personal data, listed in Article 6(1) AVG. One of those processing bases is the consent basis. For the other processing bases, see the | AVG theme file.

The basis for consent (Article 6(1)(a) AVG) is as follows:

''1. Processing shall be lawful only if and to the extent that at least one of the following conditions is met: (...)

(a) the data subject has consented to the processing of their personal data for one or more specific purposes; (...) '''

Art. 4 under 11 AVG defines the concept of consent as:

''any free, specific, informed and unambiguous expression of will by which the data subject signifies, by means of a statement or an unambiguous active act, his or her consent to the processing of personal data relating to him or her.''

Scope of AVG

The AVG does not always apply, despite what is often thought. This may be the case, for example, when the data processing does not fall within the scope of the AVG. In addition, sector-specific laws may take precedence over the AVG, making another law applicable to the data processing. An example of this is the Police Data Act (Wpg), where data may qualify as police data. For a detailed explanation of the scope, see | topic file AVG

Necessity and subsidiarity

It is important to realize that any AVG basis is subject to the requirements of subsidiarity and proportionality. Therefore, for each processing operation, it is necessary to consider whether the processing

- proportional, that is, is there a reasonable relationship between the impairment of the right, on the one hand, and the objective being pursued, on the other?

- subsidiary, that is, is there a less far-reaching way by which the goals can be achieved?

This test must be performed for every basis, even when these requirements are not explicitly mentioned. With the legitimate interest basis, these requirements do make up an explicit part of the test. (1) | Topic file AVG|justified interest

Necessity and subsidiarity are examples of AVG principles. The other principles must also always be observed. With social media targeting, the EDPB also emphasizes the propriety and quality of data, see Art. 5 and Recital 39 AVG. (22)

Consent requirements

Do you want to use the consent basis? If so, please note the following conditions when using this basis.

Voluntary

Consent must be given voluntarily, without pressure or coercion from the controller. The individual must have a genuine choice. If an employer pressures the employee to consent to sharing their personal data with third parties, this may be considered invalid consent (Recital 43 AVG). Even if consent is included as a mandatory part of the terms and conditions, it is assumed that the consent was not given voluntarily (Art. 4 under 11 AVG, Art. 7 paragraph 4 AVG, Recital 32 AVG).

Specifically

The consent must be specific to the data processing taking place. No general consent can be given. Thus, if an organization requests consent to process personal data for various purposes and the data subject only gives consent for some of these purposes, the consent for the remaining purposes may be considered invalid (Art. 4 under 11 AVG, Recitals 32, 43 AVG).

Unambiguous

The consent must be unambiguous. It must be given through a clear and active action. This means that consent to process personal data must be explicit and cannot be assumed from silence, pre-ticked boxes or inactivity. However, consent is given by self-ticking a box on a website or self-selecting the technical settings, where it is clear that the person agrees to the proposed processing of his or her personal data (Art. 4(11), Recital 32 AVG).

Informed consent

The controller must inform the data subject about the processing of exactly what personal data and the data subject must understand what he is consenting to (Art. 7(2) AVG and Recital 32 AVG). He must always receive information about the identity of the controller and the specific purposes of the processing before it takes place (Art. 13 and 14 AVG). This is part of the information obligation and the principle of transparency.

Withdrawal of consent

The data subject has the right to withdraw consent at any time and must be informed about it. Withdrawal should be as easy as granting consent. If an organization does not inform the data subject of the right to withdraw consent and does not provide the necessary means to do so, this may be considered invalid consent (Art. 7(3) AVG).

No adverse effects

If a person does not consent or withdraws consent, there should be no negative consequences for that person. If a person chooses not to be tracked on a Web site, that person must still be able to use the Web site. For example, the Web site should not require that person to pay to access the site. It is important to offer choices. This also underscores the requirement of voluntariness.

Minors

If a child is under 16, it is only permissible to process his or her personal data if the person who has parental responsibility over that child gives consent (Art. 8(1) AVG). It should be noted, however, that Article 8 AVG is limited to a direct provision of information society services. Given the increased protection of children in the AVG (recital 38), it can possibly be assumed that children cannot give consent independently in other cases as well.

Accountability

An organization must be able to prove that the data subject has given consent. The person responsible for processing data must prepare a consent statement that is easy to understand. This means that the statement must not contain difficult language or unfair terms and must be easy to find (Art. 7(1) and Recital 42 AVG). | Topic File Accountability

Special categories of personal data

Organizations that process special categories of personal data, such as health data, must be able to prove express consent, see Art. 9 AVG and par. 3.1 UAVG. For more information on the processing of health data, see the book Privacy in Healthcare, 2.4.1, available via the Data&Privacyweb Pro and Expert membership and in our bookshop.

Practical examples
Cookie tracking on website (Planet49 ruling)
Collection and retention of copies of identity documents (Orange România)

Express consent in the case of special data or criminal data (GC/CNIL)
No consent required, other basis

Further learning

Current affairs course AVG