Consent & Processing Special-Category Data (Articles 7 & 9)

Consent feels like the obvious lawful basis, but it is the one organisations most often get wrong, and the exam exploits that. The GDPR sets a deliberately high bar. Article 4(11) defines consent as any freely given, specific, informed, and unambiguous indication of the data subject's wishes, given by a statement or a clear affirmative action.

Article 7 then adds conditions, including that withdrawal must be as easy as giving consent. Because the bar is high and consent can be withdrawn at any time, it is often not the most robust basis; for many activities, contract or legitimate interests is cleaner. Let's break down each element, because the exam tests them individually.

Valid consent has four elements. Freely given means the person has a genuine choice; consent is not free if refusing causes detriment, if there is a clear power imbalance, for example employer over employee, or if the service is conditioned on consent that is not necessary for it. Specific means consent is sought separately for each distinct purpose; you cannot bundle several purposes into one tick.

Informed means the person knows at least the controller's identity and the purposes of the processing before they agree. And unambiguous means consent is given by a clear affirmative action, such as ticking an unchecked box; silence, inactivity, or pre-ticked boxes do not count. Recital 32 is explicit that pre-ticked boxes are invalid, and the CJEU confirmed it.

Watch for those traps.

Article 7 adds operational duties. Under Article 7(1), the controller must be able to demonstrate that the data subject consented, that is accountability applied to consent, so keep records of who consented, when, and to what. Under Article 7(3), the person can withdraw consent at any time, and it must be as easy to withdraw as it was to give; you cannot make signing up a click and opting out a phone call.

Withdrawing consent does not make past processing unlawful, it just stops future processing on that basis. And you must inform people of the right to withdraw before they consent. If a scenario describes hard-to-find opt-outs or buried withdrawal mechanisms, that is an Article 7(3) failure.

Article 8 sets special rules for children's consent in the context of online services, what the GDPR calls information-society services, offered directly to a child. Where consent is the basis, the child can consent on their own from the age of sixteen by default. Below that age, the processing is lawful only with the consent or authorisation of the holder of parental responsibility, and the controller must make reasonable efforts to verify it.

Crucially, member states may set a lower age, but not below thirteen. So the digital age of consent ranges from thirteen to sixteen depending on the country. The exam tests both the default of sixteen and the floor of thirteen, so know both numbers.

Finally, the conditions for special-category data. Article 9(1) prohibits processing the sensitive categories we listed earlier, and Article 9(2) provides the limited exceptions that lift the prohibition. They include the data subject's explicit consent, a higher standard than ordinary consent, usually requiring an express statement; processing necessary for employment, social-security, or social-protection law; protecting someone's vital interests where they cannot consent; processing by a not-for-profit body about its members; data the person has manifestly made public; the establishment or defence of legal claims; substantial public interest with a legal basis; preventive or occupational medicine and public health; and archiving, research, or statistics.

The key exam points: you need an Article 9(2) condition in addition to your Article 6 basis, and for special-category data, consent must be explicit. Both keys, every time.

So, consent and sensitive data. Valid consent under Articles 4(11) and 7 must be freely given, specific, informed, and unambiguous, given by a clear affirmative act, never a pre-ticked box, and withdrawable as easily as it was given, with the controller able to prove it. For children using online services, the default digital-consent age is sixteen, and member states may lower it only to thirteen.

And for special-category data, you need both an Article 6 basis and an Article 9(2) condition, with consent in this context being explicit. Next, we cover what you must tell people, transparency and privacy notices under Articles 13 and 14. First, go test yourself on consent and special-category data.