What is explicit consent and when do you need it?
Explicit consent in GDPR
Despite the specific references to the need for "explicit consent" in the GDPR, this term is not separately defined.
However, one way of looking at "explicit consent" is that it should leave no room for misinterpretation.
The Article 29 Working Party guidance on consent states that the term 'explicit' means that the data subject must give an express statement of consent.
Thus, an explicit consent statement should specifically refer to:
- the particular data set that is to be processed,
- the precise purpose of processing (including any automated decision-making),
- should identify any risks and/or implications that might arise for the data subject as a result of the data processing, and
- should provide any other relevant and specific information that might influence the decision of a data subject to give or not give their consent.
Other than that, the requirements for explicit consent are the same as the GDPR’s formal definition of consent in Article 4(11) and the consent must also meet the conditions specified in Article 7.
GDPR Article 9(2)(a) allows the processing of special categories of personal data where "... the data subject has given explicit consent to the processing of those personal data for one or more specified purposes ..."
GDPR prohibits data transfers to third countries or international organisations, where there is no adequacy decision (Article 45) or appropriate safeguard (Article 46), except where the data subject has been adequately informed of the risks of consenting to these kinds of transfers because of the lack of, among others, an appropriate safeguard as is mentioned in Article 49 and have given their explicit consent to the transfer anyway.
The Data Protection Act 2018, section 36(1)(a) provides that explicit consent may be one of the "suitable and specific measures" that are taken to safeguard the fundamental rights and freedoms of data subjects.
The Health Research Regulations 2018, Regulation 3(1)(e) states that explicit consent is one of the mandatory "suitable and specific measures" that must be in place for the processing of data for health research purposes unless the researcher has been granted a consent declaration under Regulation 5 or under the transitional arrangements (Regulation 6)
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.