Legal references:

Regulation 2016/679: Articles 4.11, 6, 7 and 9

Recital 32, 40, 42, 43


One of the main bases that authorize data processing is consent. Consent is an expression of will, with which the data subject authorizes the processing of data.

The interesting new feature of the GDPR, as compared to Directive 95/46, is represented by the fact that consent can be given not only by declaration but also by a clear affirmative action: therefore the affirmative behavior of the data subject can be considered as giving consent.

However, it is up to the controller to prove that they obtained consent correctly, with the consequence that the lack of a written document may result in difficulties to prove the conclusive behavior of a data subject.

The main characteristics of consent are summarized in the following table.


The violation of the obligation to obtain consent is sanctioned up to € 20,000,000 or, for companies, up to 4% of the total annual turnover of the previous year if higher.

In determining the sanction the criteria of Article 83 Reg. 679/2016 will apply. More precise parameters will be defined through guidelines.