Key points on explicit consent for data protection compliance

Personal data cannot be processed without the explicit consent of the data subject where other legal bases are not applicable (Article 5(1) of the Data Protection Law). Explicit consent should be freely given, specific, and informed (Article 3 of the Data Protection Law).

Explicit consent: means the consent given by the data subject which is based on being clearly informed and given out with free will for a specific action.

Companies would be prudent to both record and retain consents, either in writing or electronically.

Explicit consent shall enable the data subject to determine the limits, scope, manner and time of the data which he consented to be processed. In this sense, explicit consent must include “positive declaration of intention” of the data subject who consents. Generally, it is also possible to take explicit consent through electronic media. The burden of proof here is on the data controller.

Under the definition of explicit consent set out in Article 3 of the Law, explicit consent has 3 following elements:

• Related to a specified issue.
• Based on the information.
• Declared by free will.

General explicit consents which are not restricted to a specified issue and the relevant transaction are accepted as “blanket consents” and are deemed legally invalid. For example; consent statements which do not indicate a specified issue or activity such as “all kinds of commercial transactions, banking transactions, and data processing activities” can be deemed blanket consents.

Giving explicit consent is a strictly binding right for the individual, the data subject can withdraw his explicit consent. Since the data subject has the right to determine the future of his personal data, he can withdraw his consent at any time. However, withdrawal of explicit consent will have forward-looking results, all transactions carried out on the basis of explicit consent must be stopped by the data controller as of the time he learns of the withdrawal.