This post is also available in: Español

On May 6, 2020, the European Data Protection Board (EDPB) published a new version of its guidelines on consent as a legal basis for processing personal data (the Guidelines).

This new version is a response to the need to clarify two issues previously mentioned in the Guidelines, albeit superficially. It refers to the application of the validity criteria of the criteria established in the data protection regulations for the consent required by the Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications.

The Guidelines still contain the following basic premises for consent to be valid as a legal basis: it must be granted freely, clearly, specifically for each purpose, and it must be informed; it must also be free, which means it must be given in relationships where there is no excessive power imbalance between the parties, and it must be granted in a granular manner, separating the consent by purpose.

Conditional consent of the data subject (paragraphs 38 to 41)

In this revision of the Guidelines on consent as a legal basis, the EDPB stresses that the data subject cannot be forced to grant his or her consent to access a service. It clarifies that a data controller cannot prevent data subjects who do not grant consent from accessing services; this would not be free consent, and so it would not be valid as a legal basis for processing.

Unambiguous consent of the data subject (paragraph 86)

In relation to the need for unambiguous consent, the EDPB had previously clarified that some actions by the data subject can be sufficient for the consent to be unambiguous. Actions such as waving in front of a smart camera or turning a smartphone around can entail the data subject’s unambiguous consent.

The EDPB took the opportunity to give specific examples, disputed up to now and interpreted differently by the various data protection authorities of EU Member States, of actions that are not unambiguous when using the data subject’s consent as a legal basis for processing. The EDPB therefore stresses that actions such as scrolling through a website or similar actions by data subjects do not entail the data subject’s unambiguous consent.

This latter example expresses a different criterion to that of the Spanish Data Protection Agency, which specified in its guidelines on cookies that scrolling could be considered an unambiguous action by the data subject.

By Pedro Méndez de Vigo and Alejandro Negro

This post is also available in: Español



59 artículos

Alejandro Negro


44 artículos