Skip to main content

Article 7 — Conditions for Valid Consent

  1. Where processing is based on consent pursuant to Article 4, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data for one or more specific purposes.
  2. Consent shall be valid only where it is freely given, specific, informed, and unambiguous. Consent shall be expressed by a clear affirmative act establishing the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement transmitted through electronic means, an oral declaration recorded in verifiable form, or any other conduct that clearly indicates acceptance in the given context. Silence, pre-ticked boxes, or inactivity shall not constitute consent.
  3. Where consent is given in the context of a written declaration or an electronic form that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from those other matters. The request shall be formulated in clear and plain language and shall not contain unfair or misleading terms. Any part of such a declaration or form that constitutes an infringement of this Code shall not be binding.
  4. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed of this right. The mechanism for withdrawing consent shall be as easy to execute as the mechanism for giving consent. Where consent was given through an electronic interface, withdrawal shall be possible through the same interface or an equally accessible one.
  5. When assessing whether consent is freely given, utmost account shall be taken of whether, among other things, the performance of a contract or the provision of a service is conditional on consent to the processing of personal data that is not necessary for the performance of that contract or the provision of that service. Consent shall not be regarded as freely given where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority of the Principality.
  6. Consent for the processing of sensitive personal data as defined in this Code shall be explicit. Explicit consent requires a specific, unambiguous, and affirmative statement or action by the data subject that clearly refers to the particular categories of sensitive personal data to be processed and the purposes of such processing.
  7. Where the data subject is a minor under the applicable provisions of the Civil Code of the Principality, the processing of personal data shall be lawful only where and to the extent that consent is given or authorised by the holder of parental authority or legal guardianship over the minor. The controller shall make reasonable efforts, taking into account available technology, to verify that consent is given or authorised by the holder of parental authority or legal guardian.
  8. The burden of demonstrating that valid consent has been obtained shall rest with the controller. The controller shall maintain records sufficient to demonstrate compliance with the requirements of this Article, including the identity of the data subject, the date and time of consent, the information presented to the data subject at the time of consent, and the method by which consent was given.