As per Article 6 of the General Data Protection Regulation (hereinafter referred as ‘GDPR’), the processing of a European resident’s personal data shall be lawful only if and to the extent that at least one of the conditions mentioned therein is satisfied. One such condition is regarding the data subject providing consent for the processing of his/her personal data. This article deals with examining the consent mechanism under the GDPR.[1]

Nature of consent:

Article 4 of the GDPR defines ‘consent’ of the data subject as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.[2]

Breaking down the definition we understand that it should be specified regarding why and for what purpose the consent is being obtained from the data subject, and free and explicit consent would be required to be obtained in that regard without any undue pressure or coercion to any extent. It should also be noted that under the GDPR, the consent of the data subject has to be informed and unambiguous in nature. This implies that there has to be immense clarity in the minds of the data subjects regarding the nature and purpose of obtaining such consent before the person i.e. the data subject, provides his/ her consent, by a statement or by a clear affirmative action, for his/ her personal data to be processed by the person/ entity obtaining the consent.

It should be noted that the consent cannot be said to be freely given if the conditions of a contract are conditional on consenting to the processing of personal data that is not necessary for the performance of that contract.[3]

Evidence of consent:

The person/ entity obtaining the consent for processing of the data needs to keep clear evidence/ records so as to demonstrate that the consent has been duly obtained in a manner which is clearly distinguishable from the other matters to prove that the data subject had freely consented for his/ her data to be processed. Such records/ evidence is necessary to ensure that the consent can be verified.[4]

Withdrawal of consent:

The GDPR provides a right to the data subject to withdraw her consent at any time. Further, the data subjects must be informed of their right to withdraw consent at any time prior to giving the consent for processing the personal data. The GDPR prescribes to ensure that the withdrawal of consent should be as simple and uncomplicated as the giving of the consent. However, it should be noted that the withdrawal of consent shall not affect the lawfulness of processing based on consent before it has been withdrawn. [5]