Consent under the GDPR
Produced in partnership with Stephanie Pritchett of Pritchetts Law
Consent under the GDPR

The following Financial Services guidance note Produced in partnership with Stephanie Pritchett of Pritchetts Law provides comprehensive and up to date legal information covering:

  • Consent under the GDPR
  • Key guidance
  • What does ‘consent’ mean under the GDPR?
  • Is consent required and what happens if a controller cannot obtain consent?
  • Obtaining consent for the processing of special category data
  • How to obtain and withdraw consent
  • Consent from children

The General Data Protection Regulation (the GDPR), Regulation (EU) 2016/679 was published in the Official Journal of the EU on 4 May 2016. Its provisions became applicable and fully enforceable in all EU Member States from 25 May 2018.

It is worth noting that consents obtained under the previous data protection regime should still continue to be effective under the GDPR, provided that they meet the GDPR conditions. This is set out in GDPR, Recital 134, where it is stated that:

  1. Directive 95/46/EC (the Data Protection Directive) would be repealed by the GDPR

  2. processing already under way on the date of application of the GDPR should be brought into conformity with the GDPR within two years after the GDPR comes into force

  3. where processing is based on consent under the Data Protection Directive, it is not necessary for the data subject to give their consent again if the way the consent has been given is in line with the conditions of the GDPR, so as to allow the controller to continue processing after the date of application of the GDPR

For more information on the GDPR generally, see Practice Notes: The General Data Protection Regulation (GDPR), Key definitions under the GDPR and Data protection principles under the GDPR.

For discussion of the meaning of ‘consent’ under the Data Protection Act 1998 (DPA 1998) and