GDPR
The General Data Protection Regulation (GDPR) sets specific conditions for the processing of personal data of a natural person (data subject) to be lawful. Among the legal bases of processing defined in Article 6 of the GDPR is the consent - consent of the subject to the processing.
In particular, consent means the clear declaration of the data subject, which consists of the free, specific, explicit and fully informed indication of his agreement in favor of the processing of the data concerning him.
The GDPR specifies the manner in which consent must be granted by providing for a series of conditions that must be met cumulatively:
(a) Consent should be freely given, which presupposes that the data subject has a true and free choice while being able to refuse or withdraw consent without prejudice. In order to express free will to give consent, the subject should not be threatened, deceived or deceived.
(b) The data subject must consent to the processing in a specific manner, i.e. in relation to a specific processing purpose and not in general and vague terms. Consent should therefore cover all processing activities carried out for the same purpose or purposes. This means that when the processing has multiple purposes, the data subject should consent individually for each of these purposes so as to ensure the transparency and controllability of the data processing. A "general" consent to the processing of his data may include processing purposes that, if the subject had been aware of, he would probably not have consented.
(c) The controller should provide the data subject with all necessary information in plain and understandable language. Long texts with unintelligible expressions are not considered to meet this condition. A typical example is the usual privacy policy terms which the user - data subject does not read but consents to, for example, in order to use the application. Among the information that should be communicated to the data subject is the identity of the controller, the category of data to be collected and processed and the existence of the right to withdraw consent.
(d) The data subject must agree to the processing in an explicit and clear manner, i.e. with a statement or with a clear positive action (e.g. by filling in a box when visiting an online website, with a written or oral statement, etc.). By contrast, it follows that pre-filled boxes, inactivity or silence do not constitute legal consent to processing.
(e) The declaration of consent should be provided in advance of the processing. Therefore, the controller should make the request for consent to the data subject in advance and not afterwards.