Update: I’ve exported the tool as a PDF so you can see the questions and answers. It’s no longer interactive, but it may still be helpful.

Consent decision tree


Update: Sorry that the tool is not currently working – My supposedly ‘unlimited’ free Zingtree account has expired, and they want £984 a year for me to renew it, which I can’t afford. Currently looking for alternatives – if you know of one, hit me up! I’ll post a downloadable text version of the tool very soon.


Following on from some of the ranting I’ve been doing about the current unhealthy obsession with consent for processing, here’s a funky tool that I have created for determining whether consent is the appropriate legal basis for processing under GDPR.

At the moment, it only covers Article 6 but I’m working on another one that addresses special categories of personal data as well.

Please let me know what you think about this tool in the comments section!

7 Replies to “Consent or not consent?”

  1. You need to mention that, even if legitimate interest is claimed, they must still offer the subject the right to object, which they can exercise via automated means (A21.5)

    Right to object and automated individual decision-making

    Article 21

    Right to object

    1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
    2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
    3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
    4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
    5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
    6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

    1. Indeed, good spot – I shall add something in to cover that, thanks!

  2. Excellent tool! Really helpful for startups, SMEs and charities who may not have a DPO to do this analysis.

    I would though add in some points for the follow-on questions where you say ‘yes’ to having a legitimate interest. If you can use either legit interest or consent, then other consequences of using either one could impact your decision. For example, some of the rights only apply depending on what lawful basis you use. You have to be able to meet the conditions for consent if you use this basis. You have transparency obligations when you use legit interests as well as purpose limitation compatibility considerations. So, in my view, you would assess these and then decide which basis to use rather than defaulting to consent.

    1. Emma, if consent is used as the basis for lawful processing then the controller is subject to all the obligations that apply in the case of a legitimate interest basis PLUS provisions to withdraw consent as easily as it was given and to provide data portability to the data subject.

      If the WP29 guidelines are accepted that portability must apply not only to directly-provided personal data but also to all observed activity of the data subject (such as search history, traffic data, location data, IoT data and activity logs) – all of which have to be provided in a commonly-used machine readable form, probably with options for filtering. This would significantly increase the obligations on the controller.

  3. I love this, thank you *very much* for sharing. I don’t think it will ever be possible to develop a ‘gospel’ tool owing to those pesky l’il triplets: in no particular order – public interest, legitimate purpose and reasonableness. Which is OK, my Caldicott Guardian would probably switch into Dr mode and call the Crash team if I stopped arguing with him.

    As an aside, I am still chortling with joy at the ICO undertaking for Royal Free as it’s enabled me to kick a few doors down this week and get people realising that I’m their friendly bodyguard, not a mean ol’ IG policemanofficer (and talk to me. And buy me coffee in Costa).

Comments are closed.