Why is an organisation processing my data?

An organisation must select a purpose for processing your personal data from a list of lawful basis and conditions set out in the law. The organisation must tell you what the purpose is. For some forms of processing the purpose will be consent, meaning you have given you explicit permission for the organisation to process your data.

What is consent?

Organisations using consent to process data must tell you what they are doing and give you the chance to say yes. This means you may see an opt-in box at the time your data is collected. The box should not be pre-ticked as you should be active in providing consent.

Your consent should be freely given and unconditional. Where there is a power imbalance, such as if the organisation is your employer or a potential employer it must make sure your consent is valid. You should not be punished for refusing to consent.

Some data processing activities are complicated. An organisation may want to undertake several processing activities with the data it collects from you. It should provide separate clear consent options so that you can tailor how your data is used.


A University might rely on public task for processing personal data for teaching and research purposes. But a mixture of legitimate interests and consent for alumni relations and fundraising purposes. If it provides several functions as part of its alumni service, and is processing data using consent, it may ask for consent by activity.

Organisations that process your personal data for direct marketing activities will probably be using consent as their lawful basis. This is because you have the right to determine how your personal data is used and whether you want to be marketed to.

An organisation is asking for consent but if I refuse they will not provide the service.

The collection of your consent should be separate from other terms and conditions. You should not be prevented from a service if you refuse to provide consent for data processing. It may be that the organisation actually requires your details in order to provide a product, such as undertaking a credit reference check. In this instance it is actually processing your data as part of a contract and should not be presenting this as a consent based service.

Can I withdraw consent?

Consent can be withdrawn at any time. If you withdraw consent an organisation should immediately stop processing your data. It should also delete the data unless there is a good reason for keeping it. Organisations should tell you how to withdraw consent at the time it is collected. If you withdraw consent for an organisation to conduct direct marketing or profiling related to direct marketing it must accept your decision without qualification.

What can I do if I feel an organisation has not followed the rules surrounding consent?

 I have withdrawn my consent but the organisation is still processing my data?

If the organisation is relying on consent as the purpose for this processing, you have contacted it to withdraw consent and you still believe the organisations is processing your data, you can complain to the ICO