Today more than ever, privacy and data protection are at the forefront, especially with the introduction of the GDPR. But what does it really mean to give consent to personal data processing? It is one of the fundamental principles of this regulation, but understanding all its aspects can seem complicated. In this article, we will shed light on what it means to say "yes" to the processing of your data, the requirements for valid consent, and how companies can manage it effectively to offer an online experience that truly respects privacy.

What are personal data?

The General Data Protection Regulation (GDPR) defines personal data as "any information relating to an identified or identifiable natural person," known as the data subject.

An individual is considered identifiable when it is possible, even indirectly, to trace their identity through specific information such as name, surname, phone number, email address, or other data.

Examples of Personal Data:

  • Directly identifying data: name, surname, tax code, identity document number.
  • Contact information: residential address, email address, phone number.
  • Financial data: credit card number, bank details.
  • Digital data: IP addresses, device IDs, cookies, location data.
  • Sensitive data (special categories): information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data (if used for unique identification), health data, sexual life, or sexual orientation.

Importance of personal data

The protection of personal data is crucial for safeguarding an individual's privacy. Proper management of this data helps limit risks of abuse, fraud, identity theft, and confidentiality breaches, giving individuals greater control over how their information is collected and used.

What is consent to personal data processing?

Consent to personal data processing is a declaration by which the data subject, i.e., the natural person to whom the data refers, authorizes a company or organization to collect, use, and manage their data.

Why Is consent important?

Consent is the legal basis for processing personal data. Without valid consent, companies cannot collect, use, or store data unless specific legal exceptions apply. And beware: non-compliance can lead to hefty fines and severely damage your reputation.

Data processing involves various activities, from collection to storage, processing, and sharing. With the digital boom, one of the most common moments when consent is requested is during online browsing. Websites collect data through cookies, registration forms, and tracking, making it essential for companies to obtain clear and informed consent.

Consent for profiling and marketing activities

Profiling involves the collection and analysis of information about a user to predict behaviors, preferences, and needs. This activity may include the collection of browsing data, interests, and online interactions. Given the sensitivity of personal data, the GDPR requires users to give explicit and informed consent before being profiled.

Fundamental principles of processing

To comply with the GDPR, consent must be:

  • Freely given: the user must have the option to accept or decline profiling without negative consequences.
  • Specific: consent must pertain to clearly identified and specific activities, such as profiling for marketing purposes.
  • Informed: users must know how and why their data is being collected.
  • Unambiguous: consent must be clear and expressed through a specific action, such as checking a box.

The Regulation also requires that the data controller, in addition to following these principles, must be able to demonstrate that consent has been collected in accordance with the Regulation. This principle is known as "accountability" and can be implemented by maintaining a consent log.

How to inform users transparently

The privacy policy and cookie banners are essential tools for clearly communicating profiling practices to users. Here’s what should not be missing:

  • Description of purposes: clearly specify why you are collecting data and how it will be used for profiling.
  • Type of data collected: indicate what data will be profiled, such as browsing data or personal information.
  • Collection methods: explain if you use cookies, tracking tags, or other technologies.
  • Consent log: keep track of user consent preferences, including the date, time, and how the consent was given or revoked. This not only ensures regulatory compliance but also transparently demonstrates respect for users' choices.
  • Possibility to revoke consent: users must be able to revoke their consent at any time with ease.

How is consent collected?

To collect consent for personal data processing in a digital context, it is necessary to use specific tools like a consent solution.

A consent solution is designed to manage the collection, storage, and management of user consent in compliance with privacy regulations like GDPR.

Main features of a consent solution:

  • Cookie Consent Banner.
    This element typically appears on a user’s first visit to a website, clearly and transparently informing them about the use of cookies and other tracking technologies.

    The cookie banner allows the user to express their consent by selecting which categories of cookies to authorize, such as strictly necessary cookies, personalization cookies, or marketing cookies.
  • Form integration

    The consent solution enables the management of consent directly within contact forms, newsletter subscriptions, registrations, or service requests. For example, by adding checkboxes for privacy policy acceptance and ensuring data is processed only with the user's explicit consent.

  • Preference management

    Users can select which types of data they authorize for processing (e.g., essential, marketing, or analytical cookies).

  • Consent Record
    The consent archive is a tool that records and stores information related to the consent provided by users for the processing of their personal data.

    This record is essential to demonstrate compliance with privacy regulations, as it provides a documented trail of the preferences expressed by users.
  • Easy revocation and modification

    Users can modify or revoke their consent at any time.

  • Integration with marketing and analytics platforms

    It connects with third-party tools to ensure that consent is respected during advertising campaigns and data analysis.

Avacy is a Consent Management Platform (CMP) designed to facilitate privacy compliance. Avacy helps companies manage user consent transparently for cookie usage, offering a simple and comprehensive solution for both industry experts and those less familiar with these topics.

Using granular consent

Consenso granulare

A key aspect of profiling is the ability to use granular consent, meaning that users can select which data they share and for what purposes. For example, they may choose to allow profiling only for content personalization but not for marketing communications.

Example of granular consent in a cookie banner:

  • I accept profiling to receive personalized recommendations
  • I accept profiling for site analysis and improvement purposes
  • I accept profiling to receive commercial offers

Implementing easy-to-manage consent tools

Using a good Consent Management Platform (CMP) facilitates the collection, storage, and management of consents. CMPs like Avacy allow you to:

  • Automatically collect consent;
  • Maintain an updated consent log;
  • Ensure the possibility to revoke or modify consent.

Consent and data subject rights

Once consent is provided, the data subject retains rights over their data.

  • Right to withdraw: the data subject always has the right to withdraw their consent at any time. Websites must therefore provide simple procedures for revoking consent.
  • Right to access and portability: in addition to withdrawal, the data subject has the right to access their data.

Corporate responsibilities in managing consent

The GDPR requires organizations to manage consent responsibly.

Documentation and storage

Companies must be able to prove they have obtained consent in a compliant manner. This means retaining documents and records that certify consent was given.

Learn more about the consent log.

Updating consent

When the purposes of processing change, companies must request new consent from the data subject, informing them of the new ways their data will be used.

What happens if consent is not given?

Without valid consent, companies may face severe administrative and legal penalties. Non-compliance can result in fines of up to 4% of annual global revenue or €20 million, as well as significant reputational damage.

Conclusions

Consent for personal data processing is an essential component of GDPR and data protection in general. Every company must ensure that consent is collected and managed in accordance with regulations, offering transparency and control to users. Compliance is not just an obligation but a demonstration of respect for individual privacy.