There is a lot of misunderstanding concerning the extent that GDPR requires consent from data subjects. In my line of work, I meet a lot of people that have the impression that consent will be required for all their organization’s processing of personal data. This cannot be further from the truth. Consent is just one of many legal bases for processing personal data, and should in principle be considered last. The ”downside” with consent is that it will require an action from the data subject, can be withdrawn at any time and is not valid if the imbalance of power is too great between the data subject and the one asking for consent (e.g. between employer and employee). Many controllers tend to use consent when it isn’t really needed, as a sort of safe haven when they are not really sure what to do. If the organization doesn’t utilize the correct legal basis, their processing may not be lawful.
Consent in GDPR
I will now comment on each legal bases from article 6(1).
Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
A typical example is an employment contract. An employer can legally process employee personal data if the processing is relevant to fulfill the terms of the employment contract. This means that employers do not have to run around and obtain consent from employees when GDPR is put into practice.
(c) processing is necessary for compliance with a legal obligation to which the controller is subject.
Organizations have other legal obligations than just GDPR; accounting laws require the organization to store personal data for a certain amount of time. It is legal for the controller to store this data and should not delete it before they fulfill their legal obligation.
(d) The treatment is necessary to protect interests of fundamental importance to the data subject or to another natural person.
This basis is about emergencies, for example if a person suddenly becomes seriously ill and personal information is needed to identify the person.
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In the Data Protection Directive, it was standard for many public authorities to use the ‘legitimate interest’ basis. However, this is no longer permissible. They will need to use this basis instead.
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In many cases an organization can justify their processing if the benefits of the processing outweigh the risk for the data subject. In recital (47), direct marketing is explicitly stated as a possible legitimate interest. This means that direct marketing can be done without consent, but only if it fulfills the criteria that I stated at the beginning of this paragraph