GDPR Countdown 2: How to get consumer consent and when is it required?

Share on twitter
Share on linkedin
Share on facebook

In today’s article, part 2 of our countdown to GDPR on May 25, we look at what the European Union General Data Protection Regulation (GDPR) says about consumer consent. For a discussion of when the GDPR can apply to Australian businesses see

consumer consent


By Dr Drew Donnelly, Compliance Quarter.
  1. Consent Defined

The definition of consent in article 4(11) of the GDPR provides that it be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Compared to the existing EU data protection rules, and the definition in the Australian Privacy Act 1988, there is a greater emphasis in the GDPR consent definition on positive action from the data subject.

  1. Implementing Meaningful Consent

In implement the new definition of consent, draft guidance from the UK Information Commissioner is useful.[1] This guideline provides that consent should be

  • For example, a request for consent to send marketing emails should be separated from other terms and conditions. It should not be a pre-condition to a service;
  • Active opt-in. This means no pre-ticked opt-in boxes. An organisation could instead use unticked opt-in boxes or other active methods such as binary choice;
  • Organisations should give ‘granular’ options, allowing a data subject to consent separately to different types of processing (if there will be different types of processing) wherever appropriate;
  • The organisation should be named as well as any third parties who will be relying on the consent;
  • Organisations should keep records to demonstrate that the individual has consented to, including what they were told, and when and how they consented;
  • Easy to withdraw. Organisations should tell data subjects that they have the right to withdraw their consent at any time, and how to do it. It should be as easy to withdraw as it was to give consent.
  1. When is consent required?

Consent is a very important, but not the only, lawful ground for processing personal data. Under article 6(1), other grounds include where that processing is necessary for:

  • Fulfilment of a contract with the individual;
  • Compliance with a legal obligation;
  • Vital interests. You can process personal data if it’s necessary to protect someone’s life;
  • An official public function. if you need to process personal data to carry out your official functions or a task in the public interest;
  • Legitimate interests. If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests. Organisations should take special care before processing data on this ground. Recital 47 to the GDPR states “the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.

If you would like tailored advice as to how your organisation can update its compliance program to account for the new consent requirements, please get in contact with us.

[1] See

More to explorer

Frozen planet Earth climate change concept

Getting Serious: The Peak Demand Reduction Scheme

The First PDR Initiatives:
– There will be incentives (rebates) for households to purchase and install energy efficient air conditioners (rebates for businesses ACs have been available for some time via other schemes);
– Businesses with EV fleets will be able to export power from their parked vehicles back in to the grid at peak times.

The two initiatives above were cited as examples in the press release on 28 September 2021. There is very little information available as to what other initiatives will be forthcoming.

When there is a lot of energy

Alinta Energy improves systems and waives more than $1 million in customer debt following an AER investigation.

On 8 October 2021, the Australian Energy Regulator (AER) announced that, in response to an investigation, Alinta Energy have substantially improved its systems and was waiving more than $1 million in energy debt owed by more than 400 of its customers.  The outcome arose as a result of an investigation carried out by the AER into alleged non-compliance with Alinta Energy’s obligations with respect to vulnerable customers and its hardship program. The AER was concerned that during the period September 2019

Leave a Reply

Your email address will not be published. Required fields are marked *