The importance of consent in the scope of personal data protection.



In times when the term “personal data” has been widespread both in the media, as well as the corporate world, perhaps it might be a brilliant opportunity to remember what it actually means in legal terms, and why is it so important. Pursuant to the Charter of Fundamental Rights of the European Union in its’ article 8(1) and the Treaty on the Functioning of the European Union (TFEU) in its’ article 16(1), personal data protection of all physical persons, regardless of their nationality or residence, is a fundamental right. Therefore, the General Data Protection Regulation of the EU, Regulation (EU) 2016/679,   aims to protects such rights, securing justice, safety and the well-being of all individuals. While the protection of personal data is a fundamental right, it does not constitute an absolute right, as it must be balanced against other fundamental rights as well as its’ function within the society, in line with the principle of proportionality. Due to the acceleration in technological advances and globalization, the collection and sharing of such sensitive information has increased, requiring as a result stronger legal protection of this fundamental right, where individuals can have control over their personal data, by giving their “consent” whenever appropriate for such processing.

According to the definitions, as explicitly laid out in paragraph 11 of article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council, as published in the Official Journal of the European Union on April 27th of 2016, consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.  Moreover, for the consent to be considered to be valid, in accordance to article 4 and article 7, the following prerequisites must be fulfilled:

  1. The consent must be given freely; the subject must be able to refuse or withdraw his/her consent without the risk of being at disadvantage;
  2. The consent must be informed;
  • The consent must be given for a specific purpose;
  1. All reasons for processing must be clearly stated;
  2. The consent must be explicit and given via a positive act;
  3. The language used must be clear and plain and clearly visible;
  • The subject must be able to withdraw his/her consent at any time and such fact must be explained.

Moreover, where consent is given for processing, it must only be processed for the purposes for which it was given and for no other purpose.  Therefore, it is so important for the consent to be informed prior to be given, as the subject must be able to have knowledge of the following information:

  • The identity of the data processor and/or controller;
  • The purposes of the data processing;
  • The type of data to be processed;
  • The choice of consent withdrawal;
  • Where necessary, it must be stated that the processed data shall be used only for automated-based decision-making, including profiling of the subject;
  • In case of international transfers of data, the possible risks of data transfers to third countries outside the EU must be stated.

Another interesting question is, what happens with data processing related to minors? Who must give the consent in order for it to be valid and lawful? The answer is explicitly stated in article 8 of the Regulation, where the conditions applicable to such consent are thoroughly explained.

In the event that the offer of information is directed to the child, the processing of personal data of the underage subject shall only be considered as lawful if the minor is at least 16 years old. Otherwise, consent must be given or authorized by the holder of parental responsibility of the minor in question. Certain EU Member States may allow by national legislations such direct consent by the minor to be given at a lower age than 16 years old, however it can never be below the age of 13 years old.

Furthermore, the data controller must make reasonable efforts to verify if the consent is indeed given or authorized by the holder of parental responsibility over the minor, with the use of technology.

In conclusion, consent is a very important element not only in data processing, but also in Contract Law and Law in general. Therefore, it is highly recommended to read thoroughly and evaluate legal documents, including consent forms, prior to signing anything or clicking on a digital button, and ask for legal advice, where necessary.


The present article is for informational purposes only and does not, under any circumstances, constitute legal advice. For further information on the subject, please contact our law firm and one of our attorneys shall be glad to assist you.


Nika Kalifatidou

Advocate – Legal Consultant

Managing Partner

T.K. & Associations Law Firm