adopted 22
100. Example 19: An airline company, Holiday Airways, offers an assisted travelling service for passengers
that cannot travel unassisted, for example due to a disability. A customer books a flight from
Amsterdam to Budapest and requests travel assistance to be able to board the plane. Holiday Airways
requires her to provide information on her health condition to be able to arrange the appropriate
services for her (hence, there are many possibilities e.g. wheelchair on the arrival gate, or an assistant
travelling with her from A to B.) Holiday Airways asks for explicit consent to process the health data of
this customer for the purpose of arranging the requested travel assistance. -The data processed on the
basis of consent should be necessary for the requested service. Moreover, flights to Budapest remain
available without travel assistance. Please note that since that data are necessary for the provision of
the requested service, Article 7 (4) does not apply.
101. Example 20: A successful company is specialised in providing custom-made ski- and snowboard
goggles, and other types of customised eyewear for outdoors sports. The idea is that people could
wear these without their own glasses on. The company receives orders at a central point and delivers
products from a single location all across the EU.
102. In order to be able to provide its customised products to customers who are short-sighted, this
controller requests consent for the use of information on customers’ eye condition. Customers provide
the necessary health data, such as their prescription data online when they place their order. Without
this, it is not possible to provide the requested customized eyewear. The company also offers series of
goggles with standardized correctional values. Customers that do not wish to share health data could
opt for the standard versions. Therefore, an explicit consent under Article 9 is required and consent
can be considered to be freely given.
5 ADDITIONAL CONDITIONS FOR OBTAINING VALID CONSENT
103. The GDPR introduces requirements for controllers to make additional arrangements to ensure they
obtain, and maintain and are able to demonstrate, valid consent. Article 7 of the GDPR sets out these
additional conditions for valid consent, with specific provisions on keeping records of consent and the
right to easily withdraw consent. Article 7 also applies to consent referred to in other articles of GDPR,
e.g. Articles 8 and 9. Guidance on the additional requirement to demonstrate valid consent and on
withdrawal of consent is provided below.
5.1 Demonstrate consent
104. In Article 7(1), the GDPR clearly outlines the explicit obligation of the controller to demonstrate a data
subject's consent. The burden of proof will be on the controller, according to Article 7(1).
105. Recital 42 states: “Where processing is based on the data subject's consent, the controller should be
able to demonstrate that the data subject has given consent to the processing operation.”
106. Controllers are free to develop methods to comply with this provision in a way that is fitting in their
daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by
a controller, should not in itself lead to excessive amounts of additional data processing. This means
that controllers should have enough data to show a link to the processing (to show consent was
obtained) but they shouldn’t be collecting any more information than necessary.
107. It is up to the controller to prove that valid consent was obtained from the data subject. The GDPR
does not prescribe exactly how this must be done. However, the controller must be able to prove that
a data subject in a given case has consented. As long as a data processing activity in question lasts, the