Article 6 para. 1 GDPR states that companies must always obtain the explicit consent of the data subject when processing personal data of (potential) customers. This applies as long as none of the other listed conditions apply for which processing would be necessary.
Article 7 GDPR describes the requirements to which consent is linked. Particularly relevant is the proof of consent, which is anchored in Article 7 para. 1.
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.
Furthermore, the request for consent must be made in clear and simple language and the consent may be revoked by the data subject at any time.
Background of the Opt-In procedure
With the GDPR coming into force, the Opt-Out procedure is a matter of the past. Marketers used to make it easy for themselves.
The tick in the box consenting to data processing was already set when opting out.
To object to the processing, the data subject previously had to actively remove the tick.
The soft opt-in procedure, in which a note on the transfer of data is given in addition to the already ticked checkbox, does not comply with the requirements of the GDPR neither.
Neither method constitutes an active declaration of consent. With the entry into force GDPR in May 2018, companies are now forced to replace the opt-out with the opt-in procedure. This forces a person to actively tick the checkbox consenting to the processing of personal data