Consent under data protection law – avoid mistakes and pitfalls

von Nadja-Maria

According to the concept of Art. 6 Para. 1 GDPR, all possible legal bases for data processing are equally valid. When examining the legality of data processing, the necessity to execute a contract (Art. 6 Paragraph 1 lit. . f GDPR). Nevertheless, the data protection law approval according to Art. 6 Para. 1 lit. a GDPR continues to be popular and is often viewed as the legal basis of choice.

However, if you would like data processing in your company to be based on consent, a few important points must be observed. Particularly with the supposedly easy-to-use declaration of consent, problems lurk in detail which, if not observed, can lead to unlawful data processing.

The following errors and pitfalls in particular must therefore be avoided as a matter of urgency:

Unsuitable processing situations

When looking for a suitable legitimation for a specific type of data processing, too little consideration is often given to whether the consent is actually the most appropriate legal basis. In addition to many advantages, consent under data protection law also has some disadvantages that must be carefully considered when making a specific selection decision.

So the consent is z. B. unsuitable for essential data processing operations within a contractual relationship. The background to this is that, due to the free revocability according to Article 7 Paragraph 3 Sentence 1 GDPR, the data subject could unilaterally withdraw the legal basis for data processing at any time. This could then lead to unsolvable problems, especially in ongoing contractual relationships.

Lack of traceability

The General Data Protection Regulation does not prescribe any special formal requirements for giving consent. It is therefore possible that a data subject may also give consent under data protection law verbally or even through implied action.

Nevertheless, the requirements of Art. 7 Paragraph 1 GDPR must not be lost sight of. According to this, the person responsible is obliged to be able to prove that he has given his consent at any time. Naturally, compliance with this obligation can be difficult if, for example, consent under data protection law has only been given orally.

We therefore recommend, wherever practicable, that the person concerned confirm the submission of the declaration of consent in writing.

Disregard the age of the person concerned

Many companies do not only deal with adults in the context of data protection. In the field of in-company training, among other things, it is quite possible that minors are also affected by data processing.

Just like in other legal issues, the minority of a person concerned must always be taken into account in the data protection declaration of consent. Depending on the age and the circumstances, it may be that the minor is legally not in a position to give an effective declaration of consent. In such a case (additionally) the consent of the legal guardian may be used.

High hurdles for revocation

Once a person concerned has given their consent, the person responsible is of course very interested in maintaining this consent.

However, making the revocation of the declaration of consent by the data subject more difficult or even deliberately thwarted would constitute a serious violation of the provisions of the GDPR.

On the contrary, according to Art. 7 Para. 3 S. 4 GDPR, the person responsible is even obliged to make the revocation as simple as giving consent. Therefore, every responsible person is urgently advised to implement a practicable and legally secure process not only for obtaining consent, but also for revoking it.

This list of errors and pitfalls in data protection consent is of course only a small selection and is not exhaustive. If you have any further questions about the legally compliant declaration of consent, please do not hesitate to contact us. Just contact us!


Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.