From Consent to Explicit Request: Legal Engineering in the Single Digital Gateway⋆ Jaouhara Zouagui 0 Fraunhofer Institute for Open Communication Systems FOKUS , Kaiserin-Augusta-Allee 31, 10589 Berlin , Germany 2025

The Single Digital Gateway (SDG) Regulation (EU) 2018/1724 aims to simplify cross-border administrative access in the EU through a unified Digital Gateway, centered around the Once-Only Principle (OOP), in which users provide data only once [1]. In accordance with Article 14(3)(a) and (4) of the SDG Regulation, the implementation of the Once-Only Technical System (OOTS) enabling automated cross-border exchange of evidence under the OOP is subject to an explicit user request, except where specific legal provisions provide otherwise [1]. In Germany, the former § 5(2) of the E-Government Act (EGovG) allowed such exchange with user consent [2]. It was questionable whether the expression of request in Article 14(3)(a) and (4) of the SDG Regulation could be understood as consent under the General Data Protection Regulation (GDPR) for the processing of personal evidence. Section 5(2) of the old EGovG was seen as a violation of the prohibition of repetition, since Article 6(1)(a) of the GDPR already requires consent as the legal basis and does not provide any opening clauses [2]. On the other hand, this could lead to a contradiction with regulated exceptions under Article 14(4) of the SDG Regulation [1], which allows data transfer without explicit user request if mandated by national law - introducing consent would undermine this mechanism. The EGovG amendment adopted in 2024 resolves the aforementioned conflicts by defining evidence exchange in the new §§ 5 and 5a on the basis of Article 6(1)(e) GDPR - public interest [3]. The "Explicit Request" under Article 14(3)(a) and (4) SDG Regulation remains a legal requirement for technical implementation, but not as a consent [1]. How does the "Explicit Request" under the SDG Regulation differ legally and technically from prior consent under the OOP? Figure 1 shows the requirements for the "Explicit Request".

 eol>Single Digital Gateway Once-Only Principle Consent Explicit Request Technical Implementation1 1. Introduction and First Result

This approach identifies and compares the requirements for the "Explicit Request" according to Article 14(7) of the SDG Regulation and the "Consent" as defined by Article 4(11) of the GDPR for the processing of personal data in accordance with Article 6( 1 )(a) of the GDPR. Both must be freely given, specific, informed, and unambiguous. They are based on common core principles, but differ in the degree of explicitness required by law.

2. Discussion and Conclusion

The GDPR's consent rules are conceptually fragmented, spread across Articles 4(11), 6( 1 )(a), 7 and 9( 2 )(a), with additional references in Recitals 32 and 42 [4]. A full comparison must consider not only the GDPR but also related regulations like Implementing Act (EU) C/2022/5628 under the SDG framework, and should be complemented by a legal interpretation of the requirements based on established methods of statutory interpretation, in addition to the comparative synopsis.

The following two examples demonstrate how addressing the aforementioned limitations would affect the identified legal requirements and technical implementation evaluation. First, in light of the requirement for "Explicitness", the "Explicit Request" under the SDG Regulation cannot be fulfilled by a simple click [5]. It must involve a clear and unambiguous action, similar to consent under Article 9( 2 )(a) GDPR [6]. Second, informed consent requires that the user understands the significance of data processing, particularly regarding the controller and the purpose of processing (see Recitals 42 and 32 of the GDPR). The same applies to the explicit request in the OOTS: According to Article 12 (EU) C/2022/5628, the user must be informed of the name of the requesting authority as well as the types of evidence or data fields to be exchanged. Additionally, information must be provided in accordance with Article 9 of (EU) C/2022/5628, including aspects related to voluntariness and the possibility of a preview function. This information is therefore more precisely defined and supported through technical means.

The "Explicit Request" and "Consent" have similar requirements, but they can differ technically. The meaning of each technical implementation requirement only becomes apparent through legal interpretation within the relevant legal framework, as demonstrated in the above cases.

 Declaration on Generative AI

During the preparation of this work, the author used GPT-4o-mini in order to: Text translation, improve writing style, grammar and spelling check. After using this tool/service, the author reviewed and edited the content as needed and take full responsibility for the publication’s content.

 [1] Gesamtsteuerung Registermodernisierung , Leitfaden zur Auslegung des Art. 14 SDG-VO (VO (EU) 2018 /1724) und zur Ermittlung sich daraus ergebender Rechtsänderungsbedarfe zur grenzüberschreitenden Umsetzung des Once-Only- Prinzips , Version 4.1 , 2023 . URL: https://www.stmd.bayern.de/wp-content/uploads/2024/07/Leitfaden_SDG_VO_ Gesamtsteueru ng- Registermodernisierung_Version-4 .1.pdf. [2] A. Pokutnev , Internetspezifische Datenverarbeitungen, in: S. Jandt, R. Steidle (Ed.), Datenschutz im Internet , 2nd ed., Nomos , Baden-Baden, 2025 , pp. 237 - 501 . [3] Deutscher Bundestag , Drucksache 20 /8093, 2023 . URL: https://dserver.bundestag.de/btd/20/080/2008093.pdf. [4] J. Klement , DS-GVO Art. 7 Bedingungen für die Einwilligung , in: S. Simitis, G. Hornung, I. Spiecker (Ed.), Datenschutzrecht, 2nd ed., Nomos , Baden-Baden, 2025 , pp. 584 - 634 . [5] Datenschutzkonferenz , Kurzpapier Nr . 20 : Einwilligung nach der DS -GVO, 2019 . URL: https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_20.pdf. [6] A. Schiff , DS-GVO Art. 9 Verarbeitung besonderer Kategorien personenbezogener Daten , in: E. Ehmann, M. Selmayr (Ed.), Datenschutz-Grundverordnung, 3rd ed., C.H. Beck , München, 2024 , pp. 381 - 407 .