Definition of Consent

The GDPR, Art. 4 (11) defines ‘consent’ of the data subject as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. 

The ICO provides guidelines on how to comply with the GDPR’ requirement of consent. Consent requires an opt-in action, has to be separated from other terms and conditions, and information about what the data subject for is consenting for, how can they withdraw their consent and about any third parties that rely on consent.

Please visit:

Special Categories of data

According to Art. 9 of the GDPR special categories of data include:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership
  • genetic data
  • biometric data
  • health
  • sex life or sexual orientation.


The processing of this type of data is prohibited unless one of the conditions in Art. 9 (2) applies.

The Data Protection Act 2018 adds more specific conditions and safeguards:

  • Schedule 1 Part 2 contains specific conditions for the various employment, health and research purposes under Articles 9(2)(b), (h), (i) and (j).
  • Schedule 1 Part 3 contains specific ‘substantial public interest’ conditions for Article 9(2)(g).
  • In some cases an ‘appropriate policy document’ must be provided to rely on these conditions.

Please visit:

Children’s age

According to the Data Protection Act 2018 (Chapter 2: The GDPR, Lawfulness of Processing), if processing personal data of children younger than 13-year-old,  parental/guardians consent is required first.

Please visit: