Understanding Article 7 of GDPR
Article 7 of GDPR outlines the conditions needed for a data subject to provide valid consent authorizing data controllers to collect, process and store personal data.
Processing based on consent (Article 7(1) GDPR)
When an organization processes personal data on the basis of the consent of a data subject, the company must be able to justify and prove that the data subject has consented to the processing of personal data.
When consent is given for multiple purposes (Article 7(2) GDPR)
When a person is asked to give consent in a declaration that concerns other matters as well, companies must make sure that the consent for the processing of personal data is made very explicit and clearly distinguishable from the other matters.
This way, data subjects are offered the opportunity to become aware of the data processing purpose and provide their consent knowing to what they are consenting to.
Right to withdraw consent (Article 7(3) GDPR)
The law allows individuals to be able to withdraw their consent at any given time.
When consent is withdrawn, the processing activities performed prior to the withdrawal of the consent will remain valid.
Also, companies must allow individuals to withdraw consent in an easy way.
In other words, withdrawing consent should be as easy as it was when giving consent.
Assessing the consent (Article 7(4) GDPR)
As a measure to assess if a person’s consent was freely given, the authorities should consider if an organization received unnecessary data as a condition to render their services or perform their duties.
Recitals applicable to Article 7 of GDPR
Relevant Recitals: 32, 33, 42, 43
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 7 or recitals
GDPR Text: Article 7 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)