According to the GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes”. It should be a clear affirmative act in which you agree to the way the company or organization proposes to process your data. Consent can be given by ticking a box when visiting an internet website, or another statement or conduct, so long as it clearly indicates your intention to say “yes, I agree”.
Consent cannot be implied from your inactivity or a random action. The fact that you continue to use a given service or the fact that you closed the pop up informing you about GDPR does not mean that you gave consent. Only “clear affirmative actions ” can be interpreted as consent. For example, the fact that you typed your e-mail in the box requesting a newsletter can be interpreted as consent for data to be processed for this purpose.
Consent cannot be forced in any way (eg. by saying that without consent for processing data you cannot use a given service), nor can it be “hidden” in the general terms and conditions. It is not possible to agree to general terms and conditions AND to specific types of data processing with the same click. However, keep in mind that:
- Often companies do not have to ask for your consent, because they have other legal grounds to process your data (eg. data that is necessary to provide the service you want; data that is justified by their legitimate interest);