Explicit Consent Under the GDPR: What Is It, and How Is It Different From Standard Consent? - IT Governance Blog (original) (raw)

Under the GDPR (General Data Protection Regulation), you sometimes need explicit consent, rather than just ordinary consent.

This blog explains what explicit consent is, how it’s different from normal consent, and when you may need to rely on explicit consent.

Explicit consent isn’t too different from standard consent under the GDPR – many of the same requirements apply. Consent must:

Further reading: This blog explains standard consent in more detail.

The key difference between standard and explicit consent is that explicit consent must not leave room for misinterpretation.

In other words, while standard consent is valid with any clear, unambiguous and affirmative action from the data subject, explicit consent must go one step further – the data subject must give their consent in words (written or spoken).

As with standard consent, you must also keep a record of that consent.

The GDPR mentions “explicit consent” only five times – in three recitals and in Articles 9 and 22.

There are three situations in which you may need to rely on explicit consent:

1. Sensitive data

To process certain types of personal data – specifically, ‘special category’ or ‘sensitive’ data. However, be aware that explicit consent is only one of many Article 9 exemptions you can rely on to process sensitive personal data.

Further reading: This blog explains what constitutes sensitive data and when you may process it.

2. Automated decision-making, including profiling

To conduct personal data processing involving automated decision-making (including profiling), where those decisions have a legal or similarly significant effect on the data subject.

However, again, this isn’t the only lawful basis you can rely on for this type of processing, and you should only rely on (explicit) consent as a last resort.

3. Certain international transfers

To make international transfers where you rely on a ‘derogation for specific situations’ under Article 49 of the GDPR.

You can also make a transfer, relying on this mechanism or safeguard, for a few other reasons. For example, when it’s necessary to:

Whether you rely on explicit consent to make an international transfer under a derogation, such a transfer must be infrequent and concern a limited number of data subjects.

Ensure GDPR compliance

Our CyberComply platform is designed to automate and support GDPR compliance.

Identify your GDPR compliance gaps and prioritise resources with this tool.

Centralise your compliance activities to improve control. Significantly reduce human error and save on implementation costs by leveraging automated tools and streamlining processes through CyberComply.

Don’t take our word for it

Here’s what our customers say:

Jennifer Morehead:

The tools are well designed to provide simple yet detailed visuals of complex processes, our CyberComply reports are useful across several aspects of the organization and used to communicate and manage risk from the CEO down to end-users.

Nikolaus:

Cyber Comply is an easy and reliable platform to use to fulfil the compliance objectives. Data Mapping can be connected with the related Data Protection Impact Assessment on one platform. With increasing demand of Data Security, we are happy to have this tool.

We first published a version of this blog in July 2017.

About The Author

Avatar photo

IT Governance Europe

IT Governance is your one-stop shop for cyber security and IT GRC information, books, documentation toolkits, training, elearning, consultancy, penetration testing, software tools, and more.