Guide to the GDPR Part 3/3: How is consent given for data processing?

Our last article explaining the new EU data rules and regulations / Gtres
15 June 2018, Redaction

The new General Data Protection Regulation (GDPR) came into force on Friday 25th May and has been generating a lot of controversy since then. That’s why we’ve prepared this practical and easy-to-understand guide to help you better understand the subject. This is the third and final of three articles on the subject, published with the help of the Portuguese Association in Defence of Consumer Rights (Associação de Defesa dos Direitos do Consumidor or DECO).

How is consent given for the processing of data?

The GDPR only allows the processing of personal data if the data subject gives their consent for this purpose, unless there is another legal basis for such processing, such as one of these cases:

  • execution of a contract in which the data subject is part of the contract;
  • pre-contractual procedures at the request of the data subject;
  • compliance with a legal obligation to which the data controller is subject; defence of the vital interests of the data subject or third parties;
  • the exercise of functions of public interest or of the authority vested in the data controller;
  • legitimate interests pursued by the data controller or third parties, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data prevail, in particular where the data subject is a child.

How is consent validated?

Consent is only considered valid if it corresponds to a "free, specific, informed and explicit manifestation of will by which the data subject accepts, by means of an unequivocal declaration or positive act, that the personal data concerning them are processed" and within the framework of the specific purposes authorised.

What about minors?

With regard to underage data subjects, the Portuguese State has determined that consent of the parents or legal guardians is legally required until the minor reaches the age of 13.

In its GDPR rulings, the European Union had left the need for consent by parents or legal guardians of young people aged 13 to 16 in the hands of each EU Member State, so the protection of youths could feasibly have been more stringent, according to DECO.

Ready to find the house of your dreams?

Ready to find the house of your dreams?

Find houses for sale and long term rentals on idealista