Article 7 GDPR
|← Article 7: Conditions for consent →|
Legal Text[edit | edit source]
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Relevant Recitals[edit | edit source]
Commentary[edit | edit source]
Article 7 specifies in more detail the definition of the terms set out in Article 4 and supplements Article 6(1)(a) to meet the formal and legal requirements for valid consent in the data protection context. The conditions for consent to be given, as defined in Article 7, are based on preliminary work by the CJEU and the Article 29 Working Party, as well as on Member State law.
(1) Obligation to provide proof of consent[edit | edit source]
The obligation to provide proof under Article 7(1) is a measure of transparency. The duty of proof reminds the controller of the central position and the effect of consent and protects it at the same time against subsequent allegations that consent was not given.
The burden of proof presupposes that the processing is "based" on consent. In this respect, it must be clear to both the controller and the data subject that no other legal basis applies to the data processing.
The proof is an obligation of the controller.
(2) On the layout requirements in the case of connection with another matter[edit | edit source]
The principle of separation laid down in Article 7(2) ensures that consent is truly informed (see Article 6(1)(a)) not given incidentally. In this regard, this provision acts also as a consumer protection. The layout requirement of Article 7(2) sentence 1 is aimed at making sure that the specific request for consent as such, isolated, is seen by the data subject without further effort. The warning and information function applies also with regard to the legal consequences of consent. Making sure that consent forms are not bundled guarantees more control for the data subject when deciding to give consent.
(3) On the right to withdraw consent[edit | edit source]
The data subject can withdraw their consent at any time and should be made aware of this right before granting consent. Withdrawal should be as easy as giving it; however, the withdrawal will not retroactively affect any processing based on the consent prior to its withdrawal.
The data subject needs only provide the minimum amount of personal information needed to identify and authenticate them to successfully revoke their consent.
(4) On the free nature of consent[edit | edit source]
The data subject must have a free choice and be able to refuse or withdraw consent without suffering disadvantages. Any potential imbalance of powers shall be analysed on a case by case basis. (See also Article 6.)
Decisions[edit | edit source]
→ You can find all related decisions in Category:Article 7 GDPR