No. The controller does not need to request and obtain consent for each processing of personal data.

Any activity for the processing of personal data must be based on one of the legal bases given in Article 10, paragraph (1) of ZZLP.

Consent is only one of the legal bases for processing personal data prescribed by law.

If there is another legal basis for processing personal data (eg, legal obligation or contract), there is no need to use consent.

For example, according to the Law on Labor Relations, the employer is obliged to keep records of the working hours of the employees, while according to the Law on Associations and Foundations, an association of citizens is obliged to keep a list of its members, and in such cases there is no need for consent because the legal obligation of the controller is a legal basis for the processing of personal data.

Consent is used to process personal data for direct marketing purposes, including profiling, in accordance with Article 96 of ZZLP.

Another example where consent is used is a hair salon that, as a controller, publishes pictures of its own activity (a popular “before and after” column) on social media or processes data through cookies placed on the website, because it cannot demonstrate a legitimate interest.