GDPR consent requirements

If consent is to be the legal basis for processing personal data, it must be freely given, specific, informed and unambiguous. In general, consent will be appropriate only where we are able to offer the individual a genuine choice over whether and how their data is used.

The data subject should show their agreement to the processing of their personal data by a statement or a clear affirmative action, such as ticking a box or signing a form. This means that consent can be expressed only through a positive opt-in and not through a failure to opt out.

If the request for consent is in writing it should be in an intelligible and easily accessible form, using clear and plain language.

Data subjects have the right to withdraw consent at any time, and it must be as easy to withdraw consent as it is to give it. Data subjects must be informed of their right to withdraw consent at the same time as they are asked to provide it.

The GDPR stipulates that consent will not be regarded as freely given if:

  • an individual is offered a service that depends on his/her giving consent for unrelated processing activities; or
  • an individual is not allowed to consent separately to different types of processing activities; or
  • there is a clear imbalance in power between the organisation and the individual, particularly where, as with the University, the organisation is defined as a public authority. There is no absolute ban on public authorities relying on consent but it must be emphasised to the individual that they will not suffer any detriment if they choose to refuse consent.

Please refer to the section on Lawful processing – personal data for further guidance.