Is the express consent absolutely necessary with the GDPR?

Recently, we were able to see how the companies and organizations rushed to send emails to their customers notifying them about the updates regarding the GDPR compliance. However, this practice is not always necessary and the obsession with changes in consent is creating bad practices among many professionals.

First of all, what does the General Data Protection Regulation say about the consent?

According to the Article 4.11 of the GDPR, the consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

I have my commercial database since before the new regulation, what now?

Relax, do not despair. Obsessing with the express consent that the GDPR establishes surely does not help much and in addition to this, maybe you are already doing things right. Also, keep in mind that if you re-send the consent request, you will unnecessarily invalidate your actual commercial database because from that moment on, the users will have to expressly accept it or otherwise, you will have to stop communicating with these records. 

The change in the GDPR does not mean that you necessarily have to request the consent of your entire database. For example, if the customers were receiving the commercial communications, it will not be necessary to obtain their consent again, since according to the regulation we can use the legitimate interest as a legal basis for sending communications. The legitimate interest is as valid as express consent. In addition, even though the commercial communications were sent to recipients who are not customers, it would not be necessary to obtain the express consent if we have already obtained the said consent previously (having him or her check the acceptance box, for example).

However, in the case that these commercial communications were being sent to recipients who are not customers and also without obtaining their consent, then the company would be non-compliant with the data protection regulation, both now with the arrival of the GDPR and with the already known LOPD*.

In short, the data protection regulation has altered the national and international scene with the novelties it presents, but this does not mean that the panic has to spread among the companies. Obtaining general knowledge about the regulation and with the help of service providers that accelerate the GDPR management is undoubtedly a good strategy to ensure that you and your clients comply with the regulation in a simple manner.


*LOPD = Spanish Organic Law 15/1999 of 13 December on protection of personal data

Share this article


Article written by

A. P.

This is an example of a biography, lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Related articles



Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars