Guidelines 02/2018 on Derogations of Article 49 GDPR

Paragraph 2.1.1  Consent must be explicit

According to Article4 (11) of the GDPR, any consent should be freely given, specific, informed and unambiguous. On this very last condition, Article 49 (1) (a) is stricter as it requires “explicit” consent. This is also a new requirement in comparison to Article 26 (1) (a) of Directive 95/46/EC, which only required “unambiguous” consent. The GDPR requires explicit consent in situations where particular data protection risks may emerge, and so, a high individual level of control over personal data is required, as is the case for the processing of special category data (Article 9 (2) (a)) and automated decisions (Article 22 (2)(c)). Such particular risks also appear in the context of international data transfers.

For further guidance on the requirement of explicit consent, and for the other applicable requirements needed for consent to beconsidered valid, please refer to the WP29’s Guidelines on Consent which are endorsed by the EDPB.