GDPR A7-01: Conditions for Consent
Under GDPR, processing personal data based on consent is only lawful when that consent meets strict criteria: it must be freely given, specific, informed, and unambiguous. This control requires you to demonstrate compliance through proper consent documentation and provide individuals with a straightforward way to withdraw consent whenever they choose.
What this means
This control mandates that your organization can only process personal data on the basis of consent when the data subject has explicitly opted in through clear, voluntary action. Consent cannot be a pre-ticked box, bundled condition, or forced requirement. You must keep detailed records proving each instance of consent, including what was consented to, when, and how. Equally important, you must maintain a simple, frictionless mechanism allowing individuals to withdraw that consent at any time without penalty.
How to comply
- 1.Audit all consent collection points (web forms, app sign-ups, email subscriptions) to eliminate pre-checked boxes and bundled consent
- 2.Document exactly what data is being processed and the specific purpose for each consent request
- 3.Create a clear record-keeping system that captures: consent timestamp, data subject identifier, consent statement, and proof of affirmative action
- 4.Implement an easily accessible consent withdrawal mechanism (e.g., one-click unsubscribe, account settings toggle)
- 5.Review consent language for clarity—remove legal jargon and ensure plain language explanations of processing activities
- 6.Test your withdrawal process to confirm it works and processes requests within your legal timeframe
- 7.Train staff on what constitutes valid consent and document that training
Evidence auditors look for
- Screenshots of consent forms showing opt-in checkboxes (not pre-ticked)
- Consent log showing timestamp, individual ID, consent text, and IP address or confirmation method
- Email template or landing page copy explicitly stating what personal data will be used and why
- Consent withdrawal mechanism (unsubscribe link, account settings interface) with proof of functionality
- Records of consent requests for high-risk processing (e.g., marketing, profiling, sensitive data)
- Documentation of staff training on valid consent principles
- Consent withdrawal requests and confirmation records showing timely processing
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates consent record capture and tracking across all your touchpoints, ensuring every opt-in is timestamped, auditable, and linked to the exact consent statement—eliminating manual spreadsheets and log gaps.
See how GRCWatch handles this control automatically
Start free trial