No, the GDPR recalls that consent is one of the legal justifications for making processing lawful. It also includes:
the performance of a contract
compliance with a legal obligation to which the controller is subject;
where processing is necessary in order to protect the vital interests of the data subject or of another natural person
where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
On the other hand, the GDPR further strengthens the rules applicable to consent.
Consent is embodied in a written statement or a clear and unambiguous positive act: NO pre-ticked boxes, nor implicit consent.
Consent must be informed: Inform the data subject in simple terms of the intended use of their data; the person must be aware of the consent given and of its scope. Do not use negation.
Consent must be freely given and specific: it must be given for a specific purpose (for the sending of your commercial offers and not for YOUR offers and those of your partners). It must not be forced (linking it to a discount, a gift or to the performance of a service when not necessary). It is necessary to distinguish between consent to data processing and consent to terms of use, for example.
Inform the person that they have the right to withdraw their consent at any time, specifying that it is as easy to withdraw consent as it is to give it.
We advise you to keep records of what the person has consented to, when they consented, and who consented. Traceability of actions related to consent must be implemented: regarding the consent itself, the purposes, and the revoked consents.
