Irish startups, SMEs, and businesses processing personal data via marketing, websites with cookies, or sensitive information like health data.
They will gain practical guidance on valid consent practices, choosing legal bases, recording requirements, withdrawal management, and pitfalls to avoid DPC fines and ensure GDPR compliance.
GDPR Consent Requirements: How Irish Companies Must Get It Right
Consent is one of the six legal bases for processing personal data under GDPR, and it is the one most businesses get wrong. The conditions are strict: consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. Burying consent in terms and conditions does not count. Using consent for employee data processing almost never works. The DPC has published detailed guidance on legal bases for processing, and consent-related complaints remain a consistent feature of its annual reports.
This guide explains when consent is the right legal basis, what makes consent valid, how to manage withdrawal, and the mistakes Irish businesses make most often.
When is consent the right legal basis?
GDPR provides six legal bases for processing personal data under Article 6(1): consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interest. Consent is only one option, and it is not always the best one.
You should use consent when:
You are sending marketing communications. Direct marketing to individuals who are not existing customers generally requires consent. The ePrivacy Regulations (SI 336/2011) reinforce this for electronic marketing.You are placing non-essential cookies. Under the ePrivacy Regulations, consent is required before placing analytics, marketing, or functional cookies on a visitor's device. For more on this, see our cookie consent guide.You are processing special category data. Health data, biometric data, political opinions, trade union membership, and other sensitive categories require explicit consent under Article 9(2)(a), unless another specific exemption applies.No other legal basis applies. If you cannot rely on contractual necessity, legitimate interest, or another basis, consent may be your only option.
You should not use consent when:
There is a power imbalance. In an employer-employee relationship, employees may feel unable to refuse without consequences. The DPC and Beauchamps Solicitors both note that consent is "highly unlikely to be a legal basis for data processing at work" due to the imbalance of power. Use contractual necessity or legitimate interest instead.You intend to make the service conditional on consent. Under the "coupling prohibition" in Article 7(4), consent is not freely given if the performance of a contract is conditional on consent to processing that is not necessary for that contract. You should be aware that you cannot refuse service because someone declines marketing consent.Legitimate interest would be more appropriate. For activities like fraud prevention, IT security, or internal administration, legitimate interest is often a better fit because it does not depend on the individual's ongoing agreement.
Author's tip: Choose your legal basis before you start processing, not after. If you build your processing around consent and then discover it does not hold up, you cannot simply switch to legitimate interest retroactively. The legal basis must be determined and documented from the outset.
What makes consent valid under GDPR?
Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." Each element is a requirement, not a suggestion.
Freely given
Consent must be voluntary. The individual must have a genuine choice and must be able to refuse or withdraw consent without any negative consequences. The key principles applying to voluntary consent are as follows:
No bundling: Do not make consent a condition of accessing a service unless the processing is necessary for that service
No penalties: There must be no detriment to the individual for refusing consent
Granularity: Where you process data for multiple purposes, offer separate consent for each purpose. A single "I agree to everything" checkbox is not granular consent
Power imbalance: In situations where the individual is dependent on you (employment, public services), consent is unlikely to be freely given
Specific
Consent must be given for a defined, particular purpose. You cannot obtain blanket consent for all possible future processing. Each purpose requires its own consent request:
"We would like to send you our weekly product newsletter", specific
"We may use your data for marketing purposes", not specific enough
"We will use your data to improve our services", too vague
If you want to use the data for a new purpose later, you need fresh consent for that purpose.
Informed
Before giving consent, the individual must be told:
Who is asking for consent (your company's identity)
What data will be collected
Why it will be processed (the specific purpose)
How to withdraw consent
Whether the data will be shared with third parties
Whether the data will be transferred outside the EEA
This information must be provided in clear and plain language, not buried in a privacy policy that nobody reads. The consent request itself should contain or clearly link to this information.
Unambiguous
Consent requires a clear affirmative action. The European Commission specifies that this means an "explicit and positive act", such as ticking an unchecked box, clicking a button, or signing a form.
What does not constitute valid consent:
Pre-ticked boxes: GDPR Recital 32 explicitly states that "silence, pre-ticked boxes or inactivity should not constitute consent"Implied consent: Continuing to use a website is not consent. Failing to opt out is not consent.Bundled consent: A single checkbox covering terms of service, privacy policy, and marketing is not validScrolling or browsing: Simply visiting a website does not constitute consent to cookies or data processing
For details on what your privacy notice must disclose, see our privacy policy guide.
When is explicit consent required?
Explicit consent is a higher standard than standard consent. It is required under Article 9(2)(a) for processing special category data, which includes:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (for identification purposes)
Health data
Sex life or sexual orientation data
Explicit consent requires a clear, express statement of agreement, not just an affirmative action. Practical methods of explicit consent include:
A written statement specifically referencing the sensitive data and processing purpose
An electronic form with a clearly labelled consent checkbox that specifically describes the special category processing
A recorded verbal statement (with appropriate safeguards)
Explicit consent is also required for automated decision-making that produces legal or similarly significant effects (Article 22(2)(c)) and for international data transfers in certain circumstances (Article 49(1)(a)).
We tend to see that most Irish startups encounter the explicit consent requirement when processing employee health data (sick leave records, medical certificates) or when collecting sensitive data through forms or surveys.
How do you manage consent withdrawal?
Article 7(3) gives individuals the right to withdraw consent at any time. Withdrawal must be as easy as giving consent, if someone consented with a single click, they should be able to withdraw with a single click.
Key requirements:
Inform upfront: Before giving consent, the individual must be told that they can withdraw at any time. This is a pre-condition for valid consent, not just a right that exists in the background.Make it easy: If consent was given via an online form, provide an online mechanism to withdraw. An unsubscribe link in every marketing email. A preference centre in your account settings. Do not require people to phone a call centre or write a letter to withdraw consent they gave in two seconds online.Act promptly: When someone withdraws consent, stop processing their data for that purpose without undue delay. If consent was your only legal basis, you must also delete the data unless another basis applies.No consequences: Withdrawing consent must not result in reduced service quality, penalties, or any other detriment.
The operational impact of consent withdrawal is significant. If someone withdraws consent for marketing, remove them from your mailing list immediately. If someone withdraws consent for analytics cookies, stop tracking them. If consent was the basis for holding their data and no other basis applies, you must delete the data, which connects directly to your right to erasure obligations.
Important: Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal. Data you processed while consent was active remains lawfully processed. But from the moment of withdrawal, you must stop processing.
What records must you keep?
Under Article 7(1), "where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented." The burden of proof is on you. If you cannot prove consent was given, it is as if it was never given.
For every consent you collect, record the following:
Who consented: The identity of the data subjectWhen they consented: A precise timestampWhat they consented to: The exact wording of the consent request they agreed toHow they consented: The method (online form, checkbox, verbal, written)What information they were given: The privacy information presented at the time of consent
Retain these records for as long as the processing continues. After processing ends, keep proof of consent for a reasonable period to defend against potential claims, 6/7 years is recommended as a general minimum for business records in Ireland, depending on context.
Consent management for small businesses
You do not need an enterprise consent management platform to comply. In our experience, practical approaches include:
Spreadsheet or database: Log each consent with the fields above. Simple but requires manual discipline.CRM built-in features: Most modern CRMs (HubSpot, Salesforce, Pipedrive) have consent tracking fields. Use them.Cookie consent platforms: For website cookies, tools like Cookiebot, OneTrust, or CookieYes record consent choices with timestamps and the specific cookie categories accepted.Email marketing platforms: Mailchimp, Brevo, and similar tools record opt-in dates and methods. Ensure you use double opt-in for marketing consent , it creates a stronger evidence trail and is recommended.
What are the most common consent mistakes Irish businesses make?
Set out below are the common errors that the DPC continuously sees. It is important to avoid them:
Relying on implied or passive consent
"By using our website, you consent to our data processing" is not valid consent. Continuing to browse is not an affirmative action. Every consent must be a deliberate, positive act by the individual.
Burying consent in terms and conditions
Article 7(2) requires that consent requests be "clearly distinguishable from the other matters" when presented alongside other information. A consent clause hidden in paragraph 47 of your terms of service is not distinguishable. Consent must be presented separately and prominently.
Failing to offer granular consent options
If you process data for multiple purposes, product updates, marketing newsletters, third-party sharing, analytics, each purpose needs its own consent option. A single "I agree" checkbox covering all purposes is not specific consent.
Not refreshing consent when purposes change
If you originally obtained consent to send product updates and now want to send third-party promotional content, you need new consent for the new purpose. The original consent does not cover processing that was not described at the time.
Using consent for employee data processing
As noted above, the power imbalance in employment relationships means consent is rarely a valid basis for processing employee data. Employers should rely on contractual necessity (Article 6(1)(b)) or legitimate interest (Article 6(1)(f)) for most employment-related processing, and on specific statutory provisions where they exist.
Pre-ticked checkboxes
This is still surprisingly common despite being explicitly prohibited by GDPR. Every checkbox must start unchecked. The individual must actively tick it. There are no exceptions to this.
For a broader overview of your data protection obligations, see our GDPR compliance guide for startups.
Your next step
We advise that you audit your current consent practices. For every processing activity that relies on consent , check the following:
Is consent genuinely the right legal basis, or would legitimate interest or contractual necessity be more appropriate?
Does the consent request meet all four conditions, freely given, specific, informed, unambiguous?
Can individuals withdraw consent as easily as they gave it?
Do you have a record of each consent that includes who, when, what, and how?
If any of those answers are no, fix them now. The DPC's enforcement record shows that consent failures are not theoretical risks, they are active enforcement targets. Getting consent right is not just about avoiding fines; it is about respecting the people whose data you process.
Need help getting your consent practices right? compliance foundations right, from company formation to GDPR readiness. We handle the complexity so you can focus on building your product.Get started with Open Forest
