Consent (Articles 6 + 7 GDPR)
One of 6 legal bases — strict requirements
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Consent under Article 4(11) GDPR is any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement, either by a statement or by a clear affirmative action. One of six legal bases under Article 6 — mandatory features: freely given, specific, informed, unambiguous, revocable at any time (Article 7).
What is consent (Articles 6 + 7 GDPR)?
Four mandatory features of valid consent:
- Freely given — no coercive situation, no bundling with contract performance (Article 7(4))
- Specific — separately per purpose
- Informed — about purpose, recipients, right to withdraw, fines
- Unambiguous — active action (no opt-out, no pre-checked boxes)
Practical example
CJEU C-673/17 (Planet49): pre-checked cookie boxes are invalid. CJEU C-621/22 (IAB Europe, 03/2024): targeting without genuine consent is prohibited. Current practice: TDDDG-compliant cookie banner offering a genuine choice.
Frequently asked questions
When is consent NOT the right legal basis?
In the employment relationship (coercive situation), for contract performance (Article 6(1)(b) is more suitable), for legitimate interests ((f)).
How do I document consents?
Consent management tool with audit trail. Timestamp, exact wording, IP address (pseudonymised), withdrawal timestamp.
What happens upon withdrawal?
Immediate cessation of processing. Erase the data unless another legal basis applies. Send confirmation to the data subject.