Consent under the GDPR
The GDPR requires a legal basis for data processing and Consent forms such a legal basis.
“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis,” [GDPR Recital 40]. Further, Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” [GDPR Article 4(11)].
To be valid, Consent must be: freely given (not coerced), specific (separate consent for each processing activity), informed (disclose your identity, purpose etc.), and unambiguous indication (clearly defined step for obtaining consent) which signifies agreement to the processing of personal data relating to him or her. [GDPR Article 4(11)]
Notice under the GDPR
Notice under the GDPR is a subject under the border principle of transparency laid out in Article 5(1)(a) of the GDPR. Transparency is the key to giving effective notice under the GDPR. Transparency obligations apply throughout the life cycle of data processing (i.e., from data collection (GDPR Article 13), once date has been collected (GDPR Article 14), transparency concerning their rights (GDPR Articles 15-22), and communications related to data breaches (GDPR Article 34)).
Further, Recital 58 states that the principle of transparency requires that any information addressed to the public or to the data subject be concise (to the point), easily accessible (immediately apparent to data subject- should not have to seek it out), and easy to understand, and that clear and plain language (as simple a manner as possible), including visualisation (like flow charts) be used.
As for the timing of notice, under Article 13.1 the information must be provided “at the time when personal data are obtained”. In the case of indirectly obtained personal data under Article 14, the timeframes within which the required information must be provided to the data subject are set out in Article 14.3 (a) to (c), and vary from within a “reasonable period” (GDPR Article 14.3(a)) to “latest at the time of the first communication with the data subject” (GDPR Article 14.3(b)) and “latest at the time of the first disclosure” under Article 14.3(c)- in case where the data are being disclosed to another recipient (whether a third party or not).
Andrew Clearwaterand Brian Philbrook, Practical tips for consent under the GDPR, available at https://iapp.org/news/a/practical-tips-for-consent-under-the-gdpr/
Rita Heimes, How opt-in consent really works, available at https://iapp.org/news/a/yes-how-opt-in-consent-really-works/
Mark Young, EU Regulators Provide Guidance on Notice and Consent under GDPR, available at https://www.insideprivacy.com/international/european-union/eu-regulators-provide-guidance-on-notice-and-consent-under-gdpr/
Article 29 Working Party Guidelines on consent under Regulation 2016/679WP29, available at
Article 29 Working Party Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227