When the EU Basic Data Protection Regulation (DSGVO/GDPR) comes into force on 25 May this year, you as a company will need "explicit consent" to legitimise specific forms of data processing. The current fuss about DSGVO/GDPR is great and the legal departments and data protection officers are getting smoking heads, the two essential issues must be clarified without a doubt: What is explicit consent and where does it have to be obtained explicitly?


Explicit consent can be considered in the same way as the standard requirements of the basic data protection regulation (DSGVO) for obtaining consent. Nevertheless, the enchanting difference is that the express consent of this kind must be obtained by the final consumer, leaving no room for misinterpretation. In plain language, the final consumer must be given a clear statement of choices, in writing or by voice, which accurately refers to the element of data processing that requires explicit consent. The statement of factual analysis should disclose all detailed knowledge and consequences of the information to be transferred and the associated transfer risks.

In addition, the conditions for express consent must comply with the definition in the DSGVO. This means that consent must be obtained explicitly. The clear consent of the party ticking a box is mandatory, a pre-checked box is illegal. The basic data protection regulation (DSGVO) provides for additional changes, such as dealers, medium-sized companies, groups and also associations must obtain their consent.

  • Ensure that consent forms are kept separate from other terms.
  • Consent should not be a prerequisite for registration for an event or service, unless it is necessary in that case.
  • A precise and detailed explanation of the separate opportunities for consent for different categories of processing
  • Indicate exactly which companies or third parties are dependent on the consent, e.g. accurately defined categories of third party manufacturers are not accepted by the DSGVO.
  • Keep records of what the person has consented to, what has been mediated and when and how the consent was given (time stamp).
  • Make it clear to people that they have the right to revoke their consent constantly and in any case ensure that the process of revocation is as smooth as that of consent
  • Check that there is no imbalance in the relationship between the person and your company name.


Explicit consent will undoubtedly be necessary for companies that want to legitimize the use of (sensitive and personal) facts. It can justify equally legitimate automatic decisions and transfers from private companies without adequate guarantees.


The basic data protection regulation (DSGVO) is on your doorstep. On 25 May 2018, the time has come. Since the new-fangled regulation sometimes provides for drastic sanctions, it is absolutely necessary that you make your company name and your data warehouse fit for modern law. For example, the law firm Dr. Bahr offers you a checkup with 12 questions, with which you can get all recommendations and tips and tricks as PDF for free download.

Here you complete the checkup


Everything could be done without personal data. There is a lot to do in your company and your operated data warehouse. The personal data that you manage in your data warehouse or process in a business intelligence solution must be made anonymous. By means of anonymisation, these are finally no longer subject to the law of the DSGVO, where testing and proof are no longer required!

Currently, the DSGVO is causing a pronounced stir within the solutions for Business Intelligence, which are used as a data processing platform in companies. All data collections and BI processes are put to the test and must undergo necessary anonymisation (optimisation) in order to get out of the scope of the DSGVO regulation.

Data anonymisation in your data warehouse is a method of preserving data protection, while retaining the original nature of your data to a large extent. In the European Union this is a legal requirement for companies. A basic requirement for data anonymisation is the omission of sensitive personal information from documents (contracts), annual reports, customer analyses or business system data records.

The first elementary requirement is likely to be to delete all information that can easily lead to the identification of principals, such as employees in a banking environment or large, widely used company names. This allows BI solutions to maintain their integrity and must replace sensitive data with fictitious substitute data. Sensitive data from real customers and entities are replaced by fictitious data. A direct approach would be to replace first names with fictitious first names and surnames with fictitious surnames. In multi-layered heterogeneous systems, the environment consists of several operational systems, online database services, data warehouse and other systems that cover extensive business processes and make it difficult to make personal data anonymous.

It is advisable to fall back on specialists who have experience with the new data protection guidelines and know-how in the area of data warehouse / business intelligence. To be correctly positioned on 25 May 2018 and not to get to know the inconveniences of the DSGVO at all is admittedly sensible, as this can be extremely cost-intensive and unpleasant.

Tip: Check not only your BI systems but also your privacy policy/imprint that you provide to your customers and online.