Javascript is required

Explicit consent

Explanation of explicit consent in the GDPR

Paul-Emmanuel Bidault
Paul-Emmanuel Bidault
26 December 2023·4 minutes read time

A requirement of the GDPR

Explicit consent is required in several cases by the GDPR:

Collection of sensitive data

Article 9 of the GDPR states that the processing of specific (or sensitive) data is prohibited by its very nature, subject to certain exceptions. These exceptions include the individual's explicit consent.

Automated decision-making

Purely automated decision-making mechanisms that produce legal effects or significantly affect the individual are prohibited. Here again, an exception provided for by Article 22 c) of the GDPR on the basis of the person's explicit consent allows this.

Transfers outside the EU

Transfers outside the EU/EEA are subject to minimum guarantees. These guarantees include derogations for specific situations, including explicit consent (Article 49 1. a).

This explicit nature is not defined in the GDPR but it can be compared with other provisions, for example, express consent within the meaning of Article L. 1122-1-1 of the French Public Health Code concerning interventional public health research on the human person involving minimal risks.

The legislator's intention is thus to seek stronger consent than "traditional" consent. In particular, explicit consent must be free, specific, informed and unambiguous. But it must also be affirmed in a clear statement. In short, explicit consent must not be capable of being inferred from a person's actions, but must be characterised by words that are clearly expressed (in writing or orally, but proof will be easier in writing).

You might think of civil marriage, which is a good example of explicit consent between spouses.

A declaration of explicit consent must also make specific reference to the element of the processing that requires explicit consent. For example, the statement must specify the nature of the sensitive data, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of transferring it outside the EU/EEA where applicable.

Finally, in accordance with Recital 43 of the GDPR, explicit consent must be separated from other consent where applicable.

A few examples are provided for the data controller:

  • A consent collection box that is not pre-checked
  • A written declaration signed by the data subject
  • The sending of a verification email to the person consenting to the processing of this sensitive data.

Example: a beauty salon asks for skin colour on the registration form.

As this data is sensitive (revealing racial or ethnic origin), explicit consent must be requested.

☐ I agree to the use of information about my skin colour to receive offers of appropriate beauty products.

Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.