Silence does not constitute consent to data processing


Silence does not constitute consent to data processing

Der Standard
2018, April 23

GDPR sets clear criteria for information obligation

It is a myth that under the General Data Protection Regulation (GDPR), data subjects must always agree to the processing of personal data. Many data processing activities can already be carried out without explicit consent on the grounds of legal bases or even obligations such as the fulfilment of contracts or the protection of legitimate interests. That will not change. However, the examination is carried out in the reverse order: it is only necessary as a last resort if none of the standardized justification reasons apply.

If consent is required, it must be given explicitly and actively by the data subject. Silence, pre-checked boxes or other inactivity are not enough. In addition, the consent must be verifiably obtained. In practice, therefore, clean documentation must be ensured - e.g. in writing or verifiable electronic processes.

Voluntariness and revocability

The most important requirement for a valid consent is its voluntariness and revocability free of charge and at any time. Where there is an imbalance between the parties, such as between the data subject and his employer or an authority, particular balance must be struck.

The prohibition of coupling also comes into play: If the declaration of consent is made dependent on the conclusion of the contract, it is in most cases inadmissible. In practice, the greatest conversion effort is required here, since marketing approvals were previously often hidden in general terms and conditions. They must now be removed and offered as a separate, voluntary option.

Consent must be given in a clear, simple language - with at least this content:

  • Name/Address of the controller
  • The types of data used
  • Detailed statement of purposes
  • Name/address of the recipients
  • Transmission purpose
  • Reference to the uncomplicated withdrawal at any time, free of charge
  • Link to further privacy policy according to Art 13 GDPR.

The challenge is to describe the processing scope in as much detail as possible, while at the same time informing the data subject briefly, concisely and in simple language. In addition, the possibility of withdrawal at any time must also be effectively ensured in the processes and systems.

For entrepreneurs, this means specifically comparing their contract documents and consent processes on the basis of the new criteria and, if necessary, obtaining new consent in good time - especially if the previous consent does not meet the GDPR criteria and is therefore in the worst case no longer required as the legal basis with 25 May.


Alle Angaben auf dieser Website dienen nur der Erstinformation und können keine rechtliche oder sonstige Beratung sein oder ersetzen. Daher übernehmen wir keine Haftung für allfälligen Schadenersatz.

The material contained in this website is provided for general information purposes only and does not constitute legal or other professional advice. We accept no responsibility for loss which may arise from reliance on information contained on this site.