Consent is one of the six legal bases for processing personal data. However, businesses that choose to rely on this legal basis must meet the following requirements for consent set out by the GDPR.


What are the requirements for consent under the GDPR?

According to the EU’s GDPR, consent is only valid when the following requirements are met.

1. The consent is freely given.

Under the EU’s GDPR, the individual to whom the personal data belongs, aka the data subject, must give their consent freely. This means that the data controller can’t force the data subject to consent to the processing.

Here’s how businesses can ensure that consent is freely given.

Don’t pre-check consent boxes

The data subject must actively check any consent boxes on your website.

Don’t force customers to consent to unnecessary data processing

Providing a service or product should not be conditioned upon consent for any data processing that is unnecessary for providing the said product or service.

Let’s take the example of an online retailer that doesn’t allow customers to complete their purchases unless they agree to receive marketing emails. In this case, sending the customers marketing emails is unnecessary for the sale. Therefore, the consent is invalid.

The proper way to do this would be to offer the customers a choice, so they can also complete their purchase without consenting to receive marketing emails.

Ask for separate consent for different types of processing

Under the GDPR, businesses have to ask for separate consent for each processing purpose.

Let’s say you want to use a client’s email address to send them newsletters and their phone number to call and get feedback from them. Under the GDPR, you must collect separate consent for each purpose.

Make it easy for customers to withdraw consent and don’t penalize them for it

Businesses need to provide customers with an easy way to withdraw consent. Furthermore, they are not allowed to punish the individuals who decide to opt out.

Don’t bundle up consent with other terms and conditions

When consent is bundled up as a part of other terms and conditions, the data subject has no genuine choice. This means that the consent is not freely given.

2. The consent is informed.

Under the EU’s GDPR, businesses must inform the data subjects about the identity of the data controller and the purpose of the personal data processing. Otherwise, the consent is invalid as it is not informed.

Although not a legal requirement, it is good practice to also let customers know how they can withdraw their consent in the consent request.

3. The consent is specific.

When explaining to the data subjects what they are agreeing to, businesses must use clear and plain language. Furthermore, the consent request must be intelligible and in an easily accessible form.

If the consent request is ambiguous or hard to understand, the consent will be invalid. Therefore, companies should avoid using double negatives, long and complex sentences, and pretentious words when formulating a consent request.

Also, remember that consent only applies for the initially specified purpose. If you want to process the data for a different purpose, you will need to collect the data subject’s consent again.

4. The consent is unambiguous.

For consent to be valid, there must be no doubt that the data subject agreed to the personal data processing. This means that the individual should actively take action to confirm their consent (e.g., signing a declaration of consent, changing the default settings, ticking a consent box).

Since assumed or implied consent is invalid, businesses should never rely on inactivity, silence, default settings, or general terms and conditions.

5. The consent is verifiable.

Businesses that rely on consent must be able to demonstrate that the data subject agreed to the processing. A good idea is to maintain audit trails, so you can provide proof of consent in case of an inspection.

Consent evidence should be kept for as long as you process the personal data based on the consent. Such evidence should include:

  • The name of the person, their email, or other identifiers
  • A copy of the dated document or any other record that has a timestamp
  • The text of the consent request at the time that the consent was given
  • In the case of written consent, businesses should keep a copy of the document or data collection form. For online consent, they should keep records of the data submitted and timestamps so they can link it to the correct version of the data collection form.


Who is responsible for obtaining and documenting consent?

Under the EU’s GDPR, the data controller (the company that establishes the processing purpose and how the data is processed) is responsible for obtaining the person’s consent.


Obtaining valid consent with Penneo Sign

Penneo Sign can help you meet the GDPR requirements for consent via online data collection forms. Here’s how it works.

  • Create the PDF form and add the fields you need.
  • Write a clear description mentioning who you are, why you need the data, and how you intend to use it.
  • Send the form to the person you need to collect the data from.
  • After filling in the form, the recipient will have to digitally sign it, thus actively consenting to the processing.
  • You get the signed form in your Penneo archive.
  • The system will generate an audit trail that shows who signed the form and when.
  • Store the signed form and the audit trail for as long as you are still processing the data so you can demonstrate your compliance.



If you're looking to learn more, we have a few suggestions for you


FTN: Sign Digitally with Bank eIDs & Mobiilivarmenne

Norwegian Transparency Act

The Norwegian Transparency Act (Åpenhetsloven)

itsme® Sign

itsme®: Sign Documents Digitally in Belgium