Do you have any questions?
+48 22 487 8636
Do you have any questions?
+48 22 487 8636
What is consent to process personal data? A practical guide for businesses and users
In a world ruled by data, consent has become one of the most important and at the same time most misunderstood concepts in the company-customer relationship. For users, it is an expression of control over their own privacy, and for businesses, it is a key legal basis that legitimizes many activities, especially in the area of marketing and communications. The introduction of RODO (GDPR) has revolutionized the approach to consent, imposing strict requirements on companies to obtain and manage it.
Vague clauses, default checkboxes and making it difficult to withdraw consent – these are practices that are not only illegal, but also destroy the trust that is the foundation of modern business. Understanding what valid and informed consent is is essential for every entrepreneur, marketer and manager today. In this practical guide, we will explain what conditions consent must meet, how to properly formulate it, in what situations it is necessary, and what mistakes to avoid in order to operate fully legally and build lasting, transparency-based relationships with customers.
What is consent for data processing and why is it one of the legal bases in RODO?
Consent to the processing of personal data, as defined by the RODO (GDPR), is a voluntary, specific, informed and unambiguous demonstration of will by which the data subject, in the form of a statement or explicit affirmative action, consents to the processing of personal data concerning him or her for a specific purpose. It is one of the six pillars, or so-called legal grounds, listed in Article 6 of the GDPR that legalize data processing.
The importance of consent is that it puts control of the data in the hands of the data subject. It is a fundamental mechanism that allows an individual to decide who can use information about him, for what purpose and to what extent. Unlike other legal bases, such as the performance of a contract or a legal obligation, consent is based on complete voluntariness and can be withdrawn at any time.
For an entrepreneur, consent becomes a key legal basis in situations where other bases are not applicable. In particular, it is essential for marketing activities – for example, for sending newsletters, personalized commercial offers or for using cookies for advertising purposes. Without validly obtained consent, many of these common marketing activities would simply be illegal and at risk of heavy financial penalties.
What conditions must a consent meet to be considered valid (voluntariness, awareness, unambiguity)?
For consent to data processing to be valid under the RODO, it must meet four stringent cumulative conditions. Failure to meet even one of them renders the consent invalid and data processing based on it illegal.
1 Voluntariness: the data subject must have a genuine and free choice. The performance of a contract or the provision of a service cannot be made conditional on consenting to the processing of data that is not necessary for that purpose. For example, an online store cannot force a customer to agree to receive a newsletter in order to make a purchase. Consent for marketing must be optional.
2 Awareness: Before giving consent, a person must be clearly and comprehensibly informed of all key aspects of the processing. At a minimum, he or she must know who the controller of his or her data is, for what specific purpose the data will be processed, the scope of the processing, and that he or she has the right to withdraw consent at any time. This information should be presented in an accessible form, without using complicated legal jargon.
3 Concreteness: Consent must relate to a specific, clearly defined purpose of processing. If a company wants to process data for several different purposes (e.g., sending newsletters, profiling offers, transferring data to partners), it should obtain separate consent for each of these purposes. It is unacceptable to collect one general consent “for everything.”
4 Unambiguity: Consent must be expressed through an active, unambiguous affirmative action. This can be by checking a blank checkbox on a website, clicking a button or submitting a written statement. Silence, inaction or default checkboxes are never considered valid consent.
4 Features of Valid Consent according to RODO
| Feature | What does this mean in practice? | Correct example | Incorrect example |
| Voluntariness | The user has a real choice, consent is not a condition of service. | Optional checkbox to sign up for newsletter when shopping. | “To create an account, you must agree to receive marketing offers.” |
| Awareness | The user is fully informed about the purpose, scope and controller of the data. | Under the checkbox is a link to the privacy policy and a clear message. | Consent hidden in long, incomprehensible regulations. |
| Concreteness | Consent is obtained separately for each clearly defined purpose. | A separate checkbox for newsletters, a separate one for profiling. | One checkbox with consent “for marketing and analytics purposes.” |
| Unambiguity | The user must perform an active action to give consent. | A blank checkbox that the user must check himself. | Default checkbox (“pre-ticked box”). |
In what business situations (e.g. newsletters, recruitment) is obtaining consent absolutely necessary?
Although consent is one of the most important legal bases, it is not always necessary. However, there are several typical business situations in which obtaining it is not only good practice, but an absolute necessity, and its absence is a serious violation of the law.
The most classic example is direct marketing. If a company wants to send marketing communications such as newsletters, information about promotions or personalized commercial offers to potential or existing customers electronically (e-mail, SMS), it must obtain their prior, explicit consent to do so. This follows not only from the RODO, but also from other regulations, such as the Electronic Services Act.
Another area is the use of cookies and similar technologies for non-essential purposes. While technical cookies, necessary for the proper operation of the site (e.g., session maintenance, shopping cart), do not require consent, all others – analytical, advertising, tracking – may be used only after active user consent has been obtained through a properly constructed cookie banner.
Consent is also often necessary in recruitment processes. While the processing of a candidate’s data for the purposes of a current, specific recruitment is based on the provisions of the Labor Code and the desire to conclude a contract, the desire to retain a candidate’s resume for future recruitment already requires the candidate’s separate, voluntary consent. Similarly, if in the recruitment process we want to process data beyond the catalog specified in the Labor Code (e.g., image), we also need to ask the candidate for consent.
How to properly formulate consent clauses on a website or in documents?
Proper wording of the consent clause is crucial to its validity. The clause must be structured in such a way that the person giving consent is fully aware of exactly what he or she is agreeing to. It should be concise, written in simple and understandable language, and easily distinguishable from other provisions, such as the regulations.
A good consent clause should contain several essential elements. First, it must clearly indicate the purpose (or purposes) of the data processing. Instead of a vague statement “I agree to the processing of data for marketing purposes,” it should be made more specific, such as “I agree to receive commercial information about company X’s products and services electronically to the e-mail address provided (newsletter).” If there are several purposes, each should have a separate clause and a separate checkbox.
Second, the clause or the information directly next to it should indicate the identity of the data controller (company name). In addition to the content of the consent itself, it is necessary to include a reference to more detailed information, the so-called RODO information obligation. This is most often accomplished by including a link to the Privacy Policy, which details all aspects of data processing, including your rights.
Finally, the clause must be combined with an active expression of will mechanism, i.e. an empty checkbox that the user must check himself. The text next to the checkbox should be unambiguous, e.g. “I agree to…” and not “I declare that I have read…”. It is important to avoid combining in one clause consent to data processing with acceptance of the terms of service – these are two different legal actions.
Is a “default checkbox” a sufficient form of consent?
Absolutely not. The use of pre-ticked checkboxes by default is one of the practices explicitly prohibited by the RODO and deemed insufficient to obtain valid consent. This point has been repeatedly confirmed both in the guidelines of European data protection authorities and in the case law of the Court of Justice of the European Union.
The problem with the default checkbox is that it violates two fundamental principles of valid consent: unambiguity and voluntariness. Consent must be the result of an active, informed action by the data subject. Checking the box is such an action. However, if the box is checked by default and the user simply clicks “next” or “I accept,” he or she does not perform any active action confirming consent. His inaction (not checking the box) is interpreted as consent, which is unacceptable. Silence or lack of objection does not imply consent.
Such a practice also undermines voluntariness. A user, especially when acting in haste, may fail to notice a checked box and unknowingly “agree” to something they did not want at all. RODO requires that consent be an informed and free choice. Defaulting to a checkbox is a form of manipulation or, at the very least, an attempt to influence the user’s decision, which contradicts the spirit and letter of the regulation.
Therefore, the only correct and safe practice is to use blank, unchecked checkboxes by default. The user must check the box himself, by actively clicking on it, in order for his consent to be considered valid and legally effective. Any company that follows the still outdated practice of default checked consents exposes itself to serious legal and financial risks.
How does the company need to manage and prove the consents it has obtained?
Obtaining valid consents is only the beginning of a company’s responsibilities. Equally important is the proper management of these consents throughout their lifecycle and the ability to prove that they were legally collected. This is a key element of the principle of accountability, one of the foundational principles of the RODO.
The company must implement a system that allows it to accurately record and store evidence of the acquisition of each consent. It is not enough to simply add an email address to a mailing list. It is necessary to keep information about who gave consent (e.g., user ID, email address), when they did so (exact date and time), what exactly they agreed to (the content of the consent clause that was displayed to them), and how they did so (e.g., through a form on website X, from IP address Y). Having such logs is essential so that, in the event of a DPA audit or a user complaint, we can prove that the consent was valid and was legally obtained.
The consent management system must also enable easy and effective management of the consent lifecycle. This primarily includes a mechanism to handle the withdrawal of consent. When a user decides to withdraw consent, the company must have a process in place to ensure that their data is promptly removed from relevant lists (e.g., marketing) and that they stop receiving unwanted communications. This process should be as simple as giving consent.
Finally, the system must ensure that consents are up-to-date and relevant to the purposes. If a company plans to change the purpose of data processing, it must obtain a new, separate consent. It is also important to regularly review the consents obtained to ensure that the documentation is complete and the mechanisms are working properly. Many modern marketing platforms (Marketing Automation) or CRM systems offer built-in consent management modules that greatly simplify this process.
How can a user easily withdraw consent to process their data?
The right to withdraw consent at any time is one of the fundamental rights individuals have under the RODO. Moreover, the regulation requires data controllers to make the process of withdrawing consent as easy as giving it. This means that a company must not create artificial barriers or impediments for users who want to opt out of further processing of their data.
In practice, any marketing communication sent on the basis of consent, such as a newsletter, must include a clear and easily accessible mechanism for withdrawing consent. The most common is an unsubscribe link, placed in the footer of each email. Clicking on this link should lead to a page where the user can confirm his or her opt-out with one or two clicks. It is unacceptable to require the user to log in, fill out complicated forms or send a written statement to unsubscribe from the newsletter.
Similarly, if the consent was collected through a website, the user should be able to withdraw it through the same site, for example, in the settings panel of their account. The company should provide a dedicated section for managing consents, where the user can easily see what they have consented to and uncheck the appropriate checkboxes.
Note that the withdrawal of consent is effective for the future. This means that the processing of data that took place before its withdrawal remains legal. However, from the moment the consent is withdrawn, the company can no longer process the data for the purpose for which the consent was withdrawn and must delete it immediately, unless there is another legal basis for its continued storage (such as an obligation under tax law).
What is the difference between marketing consent and consent for contract processing?
This is one of the most common and important distinctions that every business must understand. Confusing the two situations and trying to force marketing consent as a condition of contract execution is a serious mistake and a violation of the principles of RODO.
The processing of data for the performance of a contract is based on a different legal basis than consent – this is Article 6(1)(b) of the RODO. It says that the processing of data is legal if it is necessary for the performance of a contract to which the data subject is a party, or to take action at the request of the data subject before entering into a contract. In this situation, the company does not need to ask the customer for consent. This is logical – in order for an online store to ship the ordered goods, it must process the customer’s delivery address. For a telecommunications company to issue an invoice, it must process the subscriber’s data. The processing of this data is inextricably linked to the performance of the service and follows directly from the contract.
Marketing consent is a completely different situation. It applies to activities that are not necessary for the performance of the contract, but are intended to promote the company’s products or services. Sending newsletters, information about promotions or personalized offers is not necessary to sell a customer a product he has already ordered. Therefore, for such activities, the company must obtain separate, voluntary consent from the customer (Article 6(1)(a) of the RODO).
The key difference is voluntary. A customer cannot be forced to give consent to marketing in order to buy a product. This consent must be optional and presented as an additional possibility, and its absence must not adversely affect the delivery of the basic service. Combining the two and making the conclusion of a contract dependent on marketing consent is a clear violation of the principle of voluntariness.
What are the consequences of processing data without a valid legal basis or despite the withdrawal of consent?
Processing personal data without having a valid legal basis, including on the basis of invalid consent or after its effective withdrawal, is one of the most serious violations of the provisions of the RODO. The consequences of such an action can be extremely severe and range from financial sanctions to severe image damage.
The most immediate consequence is heavy administrative fines, imposed by the supervisory authority. Processing data without a legal basis is a violation of the fundamental principles in Articles 5 and 6 of the RODO, which qualifies for a higher penalty threshold of up to €20 million or 4% of a company’s total annual worldwide turnover. The Data Protection Authority (DPA) has repeatedly levied hefty fines against companies that conducted marketing activities without obtaining valid consents or continued them despite their withdrawal.
In addition to financial penalties, the supervisory authority can apply other remedies. It can issue an order to stop processing data, which, in the case of a company whose business model is based on marketing, can mean paralyzing operations. It can also order the deletion of illegally acquired data, which entails the loss of the entire marketing base built up over the years.
Finally, the civil and image consequences should not be forgotten. Any person whose data has been processed illegally has the right to seek compensation for the tangible and intangible damages suffered. Information about the punishment of a company for violating the right to privacy, publicized by the media, leads to a loss of customer confidence and damage to reputation, which in the long run can be much more costly than the financial penalty itself.
Is consent always the best basis for data processing?
Definitely no. Although consent is one of the most well-known legal bases in RODO, it is not at all a “better” or “more important” basis than others. Moreover, in many business situations, basing processing on consent is not only unnecessary, but even inappropriate and risky. The choice of the appropriate legal basis must always result from an analysis of the specific purpose and context of the processing.
As mentioned earlier, where data processing is necessary for the performance of a contract with a customer (e.g., handling an order, providing a service), the appropriate and much more stable legal basis is the contract itself (Article 6(1)(b) of the RODO). Basing this process on consent would be a mistake – what would happen if a customer withdrew consent after placing an order? Would the store not send him the goods? The contract as a legal basis is much more appropriate in this case.
Similarly, if data processing is required by other laws, the company must rely on the basis of a legal obligation (Article 6(1)(c) of the RODO). For example, an employer must process employee data in order to pay Social Security contributions and taxes – this follows directly from the law and does not ask the employee’s consent. Similarly, a company must keep invoices for a certain period of time for tax audits.
Consent is a fragile basis because it is revocable at any time. Therefore, it should be used mainly in situations where there is no other, more appropriate legal basis, and the action is optional and additional from the perspective of the data subject. Ideal examples are marketing, analytics or participation in loyalty programs. In many other cases, relying on the controller’s legitimate interest (Article 6(1)(f) RODO) may be more appropriate, subject to an appropriate balancing test.
What mistakes do companies make most often when collecting and managing consents?
Based on the decisions of the President of the Office for Personal Data Protection (UODO) and market practice, it is possible to identify several recurring mistakes that Polish companies make in the context of data processing consents. Avoiding them is key to ensuring compliance.
One of the most common mistakes is a lack of accountability, that is, the company’s inability to prove that it has obtained valid consent. Many companies simply add email addresses to their marketing databases, but do not keep any evidence of when, how and to what content of the clause the person consented. In the event of an audit or complaint, the company is unable to show that it acted legally.
Another common problem is the formulation of incorrect consent clauses. Often they are too general (“I agree to data processing for marketing purposes”), do not indicate the controller, or combine consent for several different purposes in one checkbox. It is also a mistake to hide consent in a lengthy regulation, which violates the principle of transparency and awareness.
Companies still have a problem with the correct consent mechanism. Despite the fact that it has been many years since RODO came into effect, it is still possible to find websites using checkboxes by default, which is a clear violation of the regulations. Another mistake is making the provision of a service conditional on marketing consent, which violates the principle of voluntariness. Finally, a common omission is to obstruct or ignore requests to withdraw consent, which is a direct violation of data subjects’ rights.
About the author:
Justyna Kalbarczyk
Justyna is a versatile specialist with extensive experience in IT, security, business development, and project management. As a key member of the nFlo team, she plays a commercial role focused on building and maintaining client relationships and analyzing their technological and business needs.
In her work, Justyna adheres to the principles of professionalism, innovation, and customer-centricity. Her unique approach combines deep technical expertise with advanced interpersonal skills, enabling her to effectively manage complex projects such as security audits, penetration tests, and strategic IT consulting.
Justyna is particularly passionate about cybersecurity and IT infrastructure. She focuses on delivering comprehensive solutions that not only address clients' current needs but also prepare them for future technological challenges. Her specialization spans both technical aspects and strategic IT security management.
She actively contributes to the development of the IT industry by sharing her knowledge through articles and participation in educational projects. Justyna believes that the key to success in the dynamic world of technology lies in continuous skill enhancement and the ability to bridge the gap between business and IT through effective communication.