Skip main navigation

Consent and the GDPR

This article discusses how consent is regulated under the GDPR.
Installation of sportapp
© University of Groningen
As you have learned, to be allowed to process data requires a legal basis. As regards health data, in many instances, the legal basis will be the provision of healthcare services by a professional subject to professional secrecy (Article 9 (2, h and 3)). In many other cases, the legal basis for processing health data, including for example medical research (which will be discussed in week 2) or apps, will be the explicit consent of the data subject (Article 9 (2, a)). Anna’s GP and gynaecologists can process her data because they are healthcare providers bound by confidentiality. An app intended to process health data needs to request Anna’s explicit consent to process her data.
Consent of the data subject within the meaning of the GDPR means a clear affirmative act establishing the freely given, specific, informed and unambiguous indication that the data subject agrees to the processing of his or her personal data. Freely given consent means that the data subject has a genuine or free choice or is able to refuse or withdraw consent without detriment. For consent to be informed, the data subject needs to be aware of the identity of the controller and the purpose of processing.
Consent needs to be given to all processing activities, which can be done for example by a written statement (including by electronic means) or an oral statement. If the data subject needs to give consent by electronic means, the request for consent has to be clear, concise and not unnecessarily disruptive. This type of consent can be given for example by ticking a box when visiting a website, choosing certain technical settings or any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing. Pre-ticked boxes or inactivity by the data subject do not constitute consent. This means that an app company for example needs to think about how to request consent in a manner that complies with the GDPR and how to demonstrate this to the supervisory authority upon request.
Where processing is based on consent, Article 7 determines that the controller needs to be able to demonstrate that the data subject has given consent to the processing activities. Furthermore, the request for consent needs to be presented in a clearly distinguishable form. This means that it cannot be buried within a contract or other written document. It needs to be presented in clear and plain language in an intelligible and easily accessible form which is clearly distinguishable from other matters (within a contract or other written document) and may not contain unfair terms. The data subject has the right to withdraw his or her consent at any time.
Do you have examples from you own experience where you have been asked to give consent to a data controller to process your data? Feel free to discuss these situations with other learners on the discussion board.
© University of Groningen
This article is from the free online

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education