This post is also available in: SK (SK)

Consent is one of the legal bases for the processing of personal data. It is useful in cases where you can offer an individual a real choice and control over whether and how you use his or her data. However, do you get the consent correctly? Here are the basic rules to keep in mind:

1. Verify that consent is the most appropriate legal basis for processing. If there is another possible legal basis, use that one instead.
2. Consent must be demonstrable. Keep in mind that it is you (controller) who will need to prove you have the consent in the event of an inspection. Therefore, choose such a way of expressing consent, which you can “keep” (signature, e-mail, a log, a record of a telephone conversation, etc.).
3. Consent must be free. People must be able to refuse consent without detriment. Consent should not be bundled up as a condition of service unless it is necessary for that service.
4. You must properly inform the data subject before requesting consent. Communicate clearly, intelligibly, and easily. In particular, state why you need the data, what you plan to do with it, and how long you will use it. Mention any other controllers to whom you provide data, including any cross-border provision of data.
5. Provide the identification details of your company as the controller as well as the contact details where the data subjects may ask questions or exercise their rights. If applicable, provide also the contact details of your data protection officer.
6. If you want to use personal data for different purposes, request separate consent for each purpose.
7. The request for consent must be visible and separate from other information (e.g. from your terms and conditions).
8. Ask for active opt-in, do not use pre-ticked boxes or any other type of “silent” consent.
9. Inform the data subject that he or she may withdraw his or her consent at any time. Ensure that withdrawing consent is as easy as giving it.
10. If you offer the so-called information society services for children (online services), it is necessary to have measures in place to verify their age. The processing of a child’s personal data is only legal if the child is at least 16 years old. If the child is under 16 years of age, the processing is lawful only under the conditions and to the extent that such consent has been expressed or approved by the holder of parental responsibility over the child.

This article is for general and informational purposes only, and the conclusions, opinions or recommendations presented herein may not apply to a specific situation. The article does not constitute legal advice or replace it. When solving a specific problem or situation, we always recommend consulting a lawyer.