Fachbücher zu Daten­schutz und IT-Sicher­heit finden Sie hier.
  1. Home
  2. News
  3. Why consent is often misused in data processing and how companies can achieve true GDPR compliance
  • Data Protection

Why consent is often misused in data processing and how companies can achieve true GDPR compliance

Consent in data processing: What companies really need to know

The variety of legal bases under the GDPR

The General Data Protection Regulation (GDPR) often makes it clear that a suitable legal basis is required for any processing of personal data.

However, a common misconception in everyday life is to view consent as an ‘all-purpose solution’. In fact, consent pursuant to Art. 6 (1) (a) GDPR is only one of six possible legal bases for data processing. These include, among others, the performance of a contract, legal obligations, vital interests, public tasks and legitimate interests.

Practice shows that controllers often only specify a single legal basis in their privacy notices, usually because it seems the most obvious. However, it is perfectly permissible and sometimes even advisable to cite or examine several possible legal bases before processing begins.

Overview of the most important legal bases

Different legal bases may apply depending on the purpose of the data processing. The following are particularly relevant for companies:

  • Contract performance and contract initiation (Art. 6(1)(b) GDPR): If personal data is processed to fulfil or initiate a contract – for example, when creating a customer account, placing orders or contacting us – this legal basis applies.
  • Compliance with legal obligations (Art. 6(1)(c) GDPR): If organisations must comply with laws, such as tax or labour regulations, this justifies the processing of personal data.
  • Legitimate interests (Art. 6(1)(f) GDPR):
  • Many everyday processes in a company can be based on this legal basis, provided that the interests of the data subjects do not outweigh them.
  • Consent (Art. 6 para. 1 lit. a GDPR): This basis is only permissible if the data subject gives their free and informed consent – and can revoke this consent at any time.

Transparent information for data subjects is mandatory: The legal basis applied must always be clearly stated in the privacy policy.

Typical mistakes when obtaining consent

When consent is unnecessary or even inadmissible

Explicit consent is not always the best choice – on the contrary: it can even be legally problematic if another legal basis is actually applicable. A common example: A customer registers on a website or orders a product. Companies often request consent to process data in such cases, even though the actual basis is the fulfilment of the contract. If consent is then revoked, the legal basis is lost and the business relationship is jeopardised.

The same applies to contact forms on the Internet: here, legitimate interest allows dialogue. Consent is superfluous and often inadmissible in this context, unless the data is used for advertising or other purposes beyond this.

Forms, checkboxes and the misunderstanding with privacy notices

Checkboxes are often used to ask users to confirm that they have ‘read and accepted the privacy policy’. This practice is regularly criticised by supervisory authorities. Why? Because it is sufficient for users to be able to take note of the privacy policy – they do not have to formally accept it or give their consent. This is precisely what leads to problems with the so-called ‘voluntary nature’ of consent, as this is a prerequisite for data to be processed on the basis of consent.

Furthermore, mandatory information pursuant to Art. 13 GDPR must not be mixed with consent or even ‘hidden’. Consent must always be clearly recognisable as such and distinguishable from other matters.

Practical recommendations: How companies can act in compliance with the GDPR

Step-by-step review of the appropriate legal basis

Before processing any data, companies should carefully consider the legal basis on which they are processing it. The decision to obtain consent is only appropriate if there are no other alternatives. Therefore, you should first check whether a legitimate interest, the fulfilment of a contract or a legal obligation provides a better basis.

In particular, consent is usually not required for processes such as employee management, customer service or enquiry processing. Only when special uses are planned – such as sending newsletters or marketing campaigns – does the explicit consent of the data subjects become relevant.

Transparency and clear communication as success factors

Transparency creates trust: Data subjects must be able to understand at all times on what basis their data is being processed and for what purpose. A correct and comprehensible privacy policy is essential here.

If consent is actually obtained, you should inform the data subjects comprehensively – including the possibility of revoking their consent at any time without disadvantage.

Ensure that consent forms are not pre-formulated or automatically pre-selected. Consent forms must always be designed separately from other information so that they are clearly recognisable and voluntary for users.

Conclusion: Use consent correctly and avoid mistakes

The choice of legal basis is crucial

The GDPR offers various ways to process personal data lawfully. Consent is not always the best and most legally secure option – there are often more suitable alternatives. Companies must document their considerations and decision-making process and disclose them in their communications.

Before introducing new processes or tools, it is important to check which legal basis applies in each case. Superfluous consent requests not only create more work, but can also undermine the legality of data processing.

Your path to legally compliant data protection

Data protection compliance means, above all, choosing the right – and comprehensively documented – way of handling personal data. An individual review of specific processes and a shift in perspective towards the individuals concerned help to identify appropriate measures. This is the only way to minimise risks and secure the trust of customers, employees and partners.

Are you unsure about the legal basis for your data processing or would you like to put your processes to the test? We would be happy to support you in developing data protection-compliant solutions and optimally setting up your organisation. Get in touch with us – together we will find the best way to handle personal data securely and efficiently!

Back
© 2011–2025 GINDAT GmbH

About Cookies

This website uses cookies. Those have two functions: On the one hand they are providing basic functionality for this website. On the other hand they allow us to improve our content for you by saving and analyzing anonymized user data. You can redraw your consent to to using these cookies at any time. Find more information regarding cookies on our Data Protection Declaration and regarding us on the Imprint.
Mandatory

These cookies are needed for a smooth operation of our website.

Name Purpose Lifetime Type Provider
CookieConsent Saves your consent to using cookies. 1 year HTML Website
fe_typo_user Assigns your browser to a session on the server. session HTTP Website
PHPSESSID Temporary cookies which is required by PHP to temporarily store data. session HTTP Website
__cfduid missing translation: trackingobject.__cfduid.desc 30 missing translation: duration.days-session HTTP Cloudflare/ report-uri.com
Statistics

With the help of these statistics cookies we check how visitors interact with our website. The information is collected anonymously.

Name Purpose Lifetime Type Provider
_pk_id Used to store a few details about the user such as the unique visitor ID. 13 months HTML Matomo
_pk_ref Used to store the attribution information, the referrer initially used to visit the website. 6 months HTML Matomo
_pk_ses Short lived cookie used to temporarily store data for the visit. 30 minutes HTML Matomo
_pk_cvar Short lived cookie used to temporarily store data for the visit. 30 minutes HTML Matomo
MATOMO_SESSID Temporary cookies which is set when the Matomo Out-out is used. session HTTP Matomo
_pk_testcookie missing translation: trackingobject._pk_testcookie.desc session HTML Matomo