OneTrust Certified Privacy Professional Practice Exam

What condition must be met for consent to be valid under GDPR?

• A. It must be verbal.
• B. It must be implied.
• C. It must be freely given, specific, informed, and unambiguous.
• D. It must be documented.

The correct answer is: It must be freely given, specific, informed, and unambiguous.

For consent to be considered valid under the General Data Protection Regulation (GDPR), it must be freely given, specific, informed, and unambiguous. This means that individuals must understand what they are consenting to and must do so without any coercion or undue pressure. Freely given implies that individuals have real choice and control over their personal data, meaning they can withdraw consent as easily as they gave it. Specificity requires that consent is not a blanket approval for all types of data processing; instead, it must pertain to specific purposes. Informed means that individuals are provided with comprehensive information about the processing activities that will occur as a result of their consent. Finally, unambiguous indicates that consent must be indicated through a clear affirmative action, signaling that the individual is agreeing to the processing of their personal data. Other options do not align with these requirements. For example, consent does not have to be verbal—written or digital forms of consent are also valid. Implied consent is not sufficient under GDPR; consent must be explicit. While documenting consent is important for accountability and compliance with regulations, it is not a standalone requirement for the consent to be considered valid. Thus, the correct understanding of GDPR consent encompasses a combination of these specified conditions