A requirement of the GDPR
Explicit consent is required in several cases by the GDPR:
Collection of sensitive data
Article 9 of the GDPR states that the processing of specific (or sensitive) data is prohibited by its very nature, subject to certain exceptions. These exceptions include the individual's explicit consent.
Automated decision-making
Purely automated decision-making mechanisms that produce legal effects or significantly affect the individual are prohibited. Here again, an exception provided for by Article 22 c) of the GDPR on the basis of the person's explicit consent allows this.
Transfers outside the EU
Transfers outside the EU/EEA are subject to minimum guarantees. These guarantees include derogations for specific situations, including explicit consent (Article 49 1. a).
The explicit nature of consent
This explicit nature is not defined in the GDPR but it can be compared with other provisions, for example, express consent within the meaning of Article L. 1122-1-1 of the French Public Health Code concerning interventional public health research on the human person involving minimal risks.
The legislator's intention is thus to seek stronger consent than "traditional" consent. In particular, explicit consent must be free, specific, informed and unambiguous. But it must also be affirmed in a clear statement. In short, explicit consent must not be capable of being inferred from a person's actions, but must be characterised by words that are clearly expressed (in writing or orally, but proof will be easier in writing).
You might think of civil marriage, which is a good example of explicit consent between spouses.
A declaration of explicit consent must also make specific reference to the element of the processing that requires explicit consent. For example, the statement must specify the nature of the sensitive data, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of transferring it outside the EU/EEA where applicable.
Finally, in accordance with Recital 43 of the GDPR, explicit consent must be separated from other consent where applicable.
Examples of explicit consent
A few examples are provided for the data controller:
- A consent collection box that is not pre-checked
- A written declaration signed by the data subject
- The sending of a verification email to the person consenting to the processing of this sensitive data.
Example: a beauty salon asks for skin colour on the registration form.
As this data is sensitive (revealing racial or ethnic origin), explicit consent must be requested.
☐ I agree to the use of information about my skin colour to receive offers of appropriate beauty products.