Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR

Section 3.1  Consent under the GDPR

28 Under the GDPR, consent serves as one of the six legal grounds for the lawfulness of processing of personal data. Article 4 (11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him orher”. These four conditions, freely given, specific, informed, and unambiguous, are essential for the validity of consent. According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/679, consent can only be an appropriate lawful basis if a data subject is offered control anda genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid legal basis for processing, rendering the processing activity unlawful.

29 The GDPR also contains further safeguards in Article 7, which sets out that the data controller must be in a position to demonstrate that there had been valid consent at the time of processing. Also, the request for consent must be presented in a manner, which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Furthermore, the data subject must be informed of the right to withdraw consent at any time, in just as simple a way as it was to grant consent.

30 According to Article 9 GDPR, consent is one of the exceptions from the general prohibition for processing special categories of personal data. However, in such case the data subject’s consent must be ‘explicit’.

31 According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/679, explicit consent under the GDPR refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent for specific processing purpose(s). An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.

32 Under no circumstances can consent be inferred from potentially ambiguous statements or actions. A controller must also beware that consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service.