Why Consent Isn’t Always Needed Under the GDPR

Why Consent Isn’t Always Needed Under the GDPR

Many people wrongly assume that data can only be processed under the GDPR if the individual gives consent. While consent is an important mechanism, it is not the only—or even always the best—legal basis for processing personal data.

The GDPR outlines multiple lawful grounds for data processing in Article 6. These provide flexibility depending on the context of the processing activity. For CIPP/E candidates, understanding each legal basis is essential, as the topic is commonly tested in exam scenarios. Recognizing when consent is appropriate and when it is not can help privacy professionals make sound decisions in real-world environments.

Introduction to Lawful Processing Under GDPR

Article 6 of the GDPR lists six lawful bases under which personal data can be processed. These are not ranked in a specific order, and there’s no requirement to always rely on consent. In fact, choosing the wrong basis—especially one that doesn’t match the real nature of the data processing—can be a major compliance risk.

Privacy professionals must be able to assess the most appropriate basis depending on the purpose of the processing, the type of data involved, and the relationship with the data subject. This is a foundational concept in the GDPR and appears prominently in the CIPP/E Body of Knowledge.

The Six Lawful Bases for Processing Personal Data

Under Article 6 of the GDPR, personal data processing is lawful only if it meets at least one of the following conditions:

  • Consent: The data subject has given clear, informed, and specific agreement to the processing.
  • Contractual Necessity: The processing is necessary to fulfill a contract with the data subject.
  • Legal Obligation: Processing is required to comply with a legal duty.
  • Vital Interests: Processing is needed to protect someone’s life.
  • Public Task: The task is carried out in the public interest or as part of official authority.
  • Legitimate Interests: Processing is necessary for a legitimate interest of the controller or a third party, balanced against the individual’s rights.

As outlined in the GDPR, none of these bases is superior by default. Each must be evaluated based on the specific context of the processing.

When Consent Is the Appropriate Basis

Valid consent under the GDPR must be freely given, specific, informed, and unambiguous. It must be obtained through a clear affirmative action and must also be easy to withdraw.

Consent is especially relevant for processing activities like email marketing, use of tracking cookies, and processing special categories of data where no other legal basis applies. Article 9 of the GDPR often requires explicit consent for sensitive data, unless certain exceptions apply.

According to the ICO’s guidance on consent, organizations must also respect the data subject’s right to withdraw consent at any time, which can complicate ongoing processing.

Common Alternatives to Consent

In many situations, consent is not necessary because other lawful bases are more appropriate. For example:

  • Contractual necessity: Required when fulfilling an order, managing a subscription, or delivering a paid service.
  • Legal obligation: Used for payroll processing or compliance with employment laws.
  • Legitimate interests: Common for fraud prevention, internal analytics, or IT security operations.

These bases must still meet transparency and accountability standards. The use of Legitimate Interests, in particular, requires a Legitimate Interests Assessment (LIA) to weigh organizational needs against data subject rights.

As Privacy Study Group explains, organizations must carefully consider power imbalances—such as employer-employee relationships—where consent may not be freely given.

Why Relying on Consent Can Be Risky

Consent, while widely recognized, carries its own risks. If the consent is not valid—due to bundled terms, pre-checked boxes, or lack of real choice—the entire data processing activity becomes unlawful.

Additionally, consent must always be withdrawable, creating operational complexity. Businesses must track who gave consent, when it was given, and provide easy ways to revoke it.

The ICO emphasizes that over-reliance on consent can lead to regulatory trouble if not handled properly. Choosing another legal basis, when more suitable, often reduces legal and administrative risk.

Special Categories of Personal Data: Consent Isn’t Always Mandatory Here Either

Special categories include data on health, race, religion, political opinions, genetic or biometric information, and sexual orientation. These types of data are subject to heightened protections under Article 9 of the GDPR.

Although explicit consent is a common basis for processing this type of data, it is not the only one. Exceptions include situations where processing is necessary for:

  • Employment law obligations
  • Protection of vital interests
  • Public health purposes
  • Legal claims

The Data Protection Commission (Ireland) clarifies that organizations should not assume consent is the only lawful option when dealing with sensitive data.

Implications for CIPP/E Candidates and Real-World Practice

For those preparing for the CIPP/E exam, it is crucial to understand that the choice of lawful basis impacts nearly every aspect of data governance—from notice requirements to documentation and subject rights.

Exam questions often present real-life scenarios where candidates must determine the appropriate legal basis. Misunderstanding the options can lead to incorrect answers and, in practice, compliance failures.

CIPP/E candidates should remember that documentation of the chosen legal basis is a regulatory requirement. The ICO stresses the importance of recording the rationale behind the selected lawful basis for each processing activity.

Your Options Before Choosing Consent

Consent is just one of the six lawful bases for processing personal data under the GDPR. While it’s essential in some contexts, it’s not the default—and often not the most appropriate—choice.

CIPP/E exam takers and privacy professionals should evaluate every data processing operation in terms of purpose, legal context, and data sensitivity. Selecting the wrong basis—especially relying on invalid consent—can lead to compliance violations.

Careful reading of Article 6, paired with practical guidance from sources like the ICO and GDPRhub, will provide a strong foundation for lawful and strategic data handling.

Share this Post


Ready to kick-start your career?

GET STARTED NOW



About The Blog


Stay up to date with the latest news, background articles, and tips for your study.


Our latest video





22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.