Skip to main content
Data Protection / GDPR

Consent management

Consent management covers all processes through which controllers lawfully obtain, document, demonstrate and enable the withdrawal at any time of data protection consent given by data subjects.

Consent management refers to the full set of organisational and technical measures by which a controller collects, administers and steers the consent of data subjects required under Art. 6(1)(a) and Art. 9(2)(a) GDPR across the entire lifecycle of a processing activity. For consent to be valid, Art. 4(11) GDPR requires that it be given freely, for the specific case, in an informed manner and unambiguously through a clear affirmative act; pre-ticked boxes or silence are not sufficient.At the heart of consent management is the accountability principle in Art. 5(2) read together with Art. 7(1) GDPR: the controller must be able to demonstrate at any time that, when, on what informational basis and for which purposes a data subject gave consent. This requires that the consent wording used, the relevant timestamp, the requested purposes and the version of the privacy notice in force at the time are logged in an audit-proof manner. Special categories of personal data are subject to heightened requirements regarding the explicit nature of consent.Inseparably linked to consent is the right to withdraw it at any time under Art. 7(3) GDPR. Withdrawal must be as easy as giving consent and does not affect the lawfulness of processing carried out before it. Professional consent management therefore also covers the downstream processes: the prompt termination of the affected processing, observance of the prohibition on bundling under Art. 7(4) GDPR, and alignment with the deletion concept and the record of processing activities.

Legal Basis

Art. 4(11), Art. 6(1)(a), Art. 7, Art. 9(2)(a) GDPR

Practical Example

An online retailer sends out a newsletter based on the recipients' consent. The data protection coordinator sets up a double opt-in in which every sign-up is logged with a timestamp, IP address, the requested purpose and the version of the consent text in force at that moment. When a recipient tells the supervisory authority that they never consented, the retailer produces the full proof of consent and demonstrates lawfulness. Through an unsubscribe link in every email, each recipient can withdraw their consent with a single click; the withdrawal stops the mailing immediately and is likewise documented.

FAQ

Under Art. 7(1) GDPR the burden of proof lies with the controller. It must document when, by whom, on what informational basis and for which purposes consent was given. Audit-proof logs with a timestamp and the version of the consent text in force at the time have proven effective.
Yes. Under Art. 7(3) GDPR the data subject may withdraw consent at any time, and as easily as it was given. The withdrawal takes effect for the future and does not affect the lawfulness of processing carried out before it.
The prohibition on bundling in Art. 7(4) GDPR requires that performance of a contract not be made conditional on consent to processing that is not necessary for that contract. Otherwise consent is generally not regarded as freely given and is therefore not valid.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Consent Accountability Legal basis Right to object Prohibition of bundling
Back to Glossary