As frustrating as it may be to get cookie notices, privacy policy updates, and pop-up windows asking for your consent whenever entering a new page on the web, it all comes with a purpose.

Consent is one of the most well-known legal bases for processing personal data. It is the subject of various provisions in the GDPR, and can only be considered legally valid and effective if some conditions are met.

This article will go through the requirements laid down by the GDPR to collect valid consent for processing personal data and to correctly document such consent to ensure compliance.

What is consent under the GDPR?
What are the requirements for consent under the GDPR?
How to collect consent easily, digitally, and with GDPR-compliance in mind


What is consent under the GDPR?


Who is responsible for collecting consent?


What are the requirements for consent under the GDPR?

Under the GDPR, consent is legally valid and effective if it is:


1. Freely given

Consent must be given voluntarily by the individual.

This implies a real choice by the data subject – so any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. This is why consent should not be a precondition to the provision of any service unless it is an essential element in that service.


2. Informed

Consent must be given after the person was notified about who is going to collect and process their data (i.e., who is the data controller and who are the third parties that will be relying on the consent), what kind of data will be processed, how it will be used, and for which purposes.

The individual also needs to be informed about their rights and the possibility of withdrawing consent at any time (which should be just as easy as giving consent).


3. Specific

Consent should be linked to one or several specified and sufficiently explained purposes.

The request for consent should always be a standalone mechanism, kept separate from information about other contractual matters, terms, and conditions. In other words, if consent is to be collected at the moment of the signature of another agreement, the consent to data processing should be collected separately from the agreement.

Moreover, when the processing has multiple purposes, consent should be given for all of them separately. Similarly, when multiple types of processing are involved, granular options should be ensured to express differing degrees of consent via separated actions.


4. Unambiguous

Consent cannot be implied. It must be expressed through a statement or a clear affirmative act such as an opt-in, a declaration, or an active motion – excluding any possibility of misunderstanding.

“Opt-out” mechanisms with pre-checked boxes are explicitly not allowed by the Regulation.


How to collect consent easily, digitally, and with GDPR-compliance in mind

The violation of the conditions for consent is one of the infringements for which companies can face more significant liability when it comes to GDPR compliance audits and penalties. It follows that particular attention must be paid to them. The good news is that Penneo can help you meet the GDPR requirements for consent.

With Penneo, you can:

  • Use forms to collect personal information through secure and encrypted channels.
  • Use digital signatures to capture consent.
  • Document who expressed consent, how and when this happened, who obtained it, and for what purposes in comprehensive court-admissible audit trails.
  • Enable granular options within the digital documents to capture consent separately for different types of data processing.
  • Allow individuals to sign documents separately to obtain consent in combination with the signature of other documents.
  • Request the renewing of consent regularly, easily, and digitally.

When it comes to online interactions, being able to document the other party’s consent is crucial to demonstrating the validity of a digital transaction. With Penneo, collecting consent online becomes easier and safer – both for you and for your customers.



If you're looking to learn more, we have a few suggestions for you

What is the GDPR?

What Is the GDPR & What Does It Mean for Your Business?

The 6 lawful bases for data processing under the GDPR

6 Lawful Bases for Data Processing Under the GDPR

GDPR compliance

7 Steps to Ensure GDPR Compliance