What is required for consent to be valid under the GDPR?

For GDPR consent to be valid it must be voluntary, specific, informed and unambiguous. We help you frame consent so individuals can make an informed choice and you can evidence that each consent meets GDPR requirements.

How can you help us design and manage GDPR consent?

We support you with GDPR consent design, including consent statements, templates for collection and withdrawal, consent registers, cookie consent mechanisms and governance so your processes are clear, robust and auditable.

When is GDPR consent the right lawful basis to use?

We help you assess when GDPR consent is the most appropriate lawful basis, for example for marketing or publishing images, and when another basis such as contract or legitimate interests is more suitable and sustainable for your processing.

GDPR consent

Valid GDPR consent

Designing valid GDPR consent is essential to ensure your processing activities comply with the General Data Protection Regulation (GDPR). The requirements extend well beyond merely recording consent in writing. Where the lawful basis for a given processing activity is consent, your organisation must operate processes that ensure compliance with the obligations that flow from relying on consent as the lawful basis. GDPR consent should always be applied with discipline and documented with precision, and consent should always be GDPR-compliant in both form and execution.

Consent is one of six lawful bases for processing personal data under the GDPR. It may in some cases be the strongest — or the only — lawful basis available. However, it is often sensible to assess whether another lawful basis could be more appropriate. Choosing a different lawful basis, for example contract or legitimate interests, can simplify or better align your internal processes. Common use cases for consent include marketing communications and publishing images. Where relevant, you should also consider GDPR cookie consent in relation to online tracking technologies.

Morling Consulting specialises in privacy and GDPR. We provide tailored advice to help you identify the most suitable lawful basis for your needs. If you decide to rely on consent, we advise on how to frame it correctly and in line with GDPR requirements. In short, GDPR consent should always be clear, purposeful and supported by robust processes.

This page sets out what is required for GDPR consent to be valid, the advantages and risks of using consent as your lawful basis, and how to document and manage consents in a legally sound manner. We also outline practical points on GDPR sharing information without consent and when that may be restricted or inappropriate.

Business professional pointing at a document with a checkmark on a computer screen, illustrating clear GDPR consent and compliant data processing.

Help with GDPR consent

At Morling Consulting we have extensive experience helping organisations handle consent under the GDPR’s strict requirements. Our GDPR specialists work with you to understand your needs and deliver practical solutions that fit your operations. We offer both strategic advice and hands-on support to streamline your processes, including governance around GDPR cookie consent where relevant.

Contact us to arrange an initial discussion. We help you build assurance and stay focused on your core business. Our GDPR services include:

Design and review of consent language, including preparing a GDPR consent form.
Design and review of templates for consent collection and withdrawal.
Legal advice on selecting the appropriate lawful basis.
Documentation of consents and auditable evidence trails.
Requirements definition for systems that manage consents, including GDPR cookie consent mechanisms.
Training for staff on the GDPR and lawful bases for processing.

VALID CONSENT

Template for GDPR consent

A well-designed template for GDPR consent can be a valuable tool for compliance. However, templates must be adapted to your specific context. GDPR consent should always be voluntary, specific, informed and unambiguous. This means, for example, that the individual must clearly understand what they are consenting to and must be able to give consent without any form of pressure. Put plainly, consent should always be GDPR-compliant in its presentation and in the way it is captured.

Morling Consulting provides purpose-built consent templates tailored to different use cases. We ensure your consent template meets GDPR requirements and suits your business, including all necessary information such as:

The purpose of the processing of personal data.
The identity of the controller.
Information on the data subject’s rights, including the right to withdraw consent.
A clear, simple process to grant consent or withdraw it at any time.

GDPR consent example: A practical example is collecting email addresses to send marketing updates. The form might include: “I consent to receive marketing about [product] from [company name]. I can withdraw this consent at any time. Read more in [company name]’s privacy notice.”

We recommend that the final wording of any consent statement is reviewed by a GDPR lawyer before use. This helps ensure the design in each individual case meets GDPR requirements and is appropriate for your specific use. Where relevant, consider whether explicit consent GDPR is required — for example, for special category data — and be clear on the GDPR consent meaning in your notices.

Two business professionals standing by a flipchart with a tick box and signature, discussing written GDPR consent and compliant data processing agreements.

GDPR written consent

A common misconception is that the GDPR requires consent to be in writing. In fact, consent may be given orally, in writing or electronically — but it must be recorded and provable afterwards. An informal “yes” in conversation is not enough. The controller must be able to demonstrate that consent met the following criteria:

Voluntary: The individual must not feel compelled to consent, for example to complete a purchase in a retail store.
Specific: It must be clear and precise what the consent covers.
Informed: The individual must receive sufficient information to make an informed decision.
Unambiguous: Consent must be given by a clear affirmative act, for example a signature or a tick-box.

Consent and contracts: A practical case where written consent is not always necessary is the use of licensed images. A model release (contract) may apply. Because there are multiple lawful bases under the GDPR, the contract may, in that scenario, be the lawful basis instead of consent, allowing publication without GDPR consent. In such cases, a GDPR-based contract may be more appropriate than seeking consent, since publication must otherwise cease if consent is withdrawn. In other contexts, especially online, ensure that GDPR cookie consent is implemented correctly where cookies are non-essential.

GDPR-assured consent management

We help you design solutions to document consents — written, oral or electronic — and to implement a simple and reliable withdrawal process. Under the GDPR, it must be as easy to withdraw as to give consent. Policies should also address GDPR sharing information without consent, setting out clearly when such sharing is prohibited and when an alternative lawful basis (for example, vital interests or legal obligation) may apply, if at all. Any approach must be risk-assessed and evidenced.

Proper management of GDPR consents is not only a legal obligation; it also builds trust with customers and partners. With Morling Consulting’s expertise, you can meet the requirements for consent — from collection to documentation and withdrawal — with confidence. In regulated digital channels, governance of GDPR cookie consent should be embedded in your consent lifecycle and records.

For consent to be valid under the GDPR it must meet four criteria: voluntary, specific, informed and unambiguous. GDPR consent should always be framed so the data subject can make an informed choice, and consent should always be GDPR-compliant in how it is presented and evidenced.

Consent may be appropriate when there is no contract or other legitimate interests to rely on; where the individual has genuine choice without detriment; and where the communication is not necessary to perform a contract, for example newsletters or marketing. In many cases, contract or legitimate interests will be more suitable. Separately, consider GDPR cookie consent for non-essential cookies and similar technologies.

Organisations must be able to show that consent was given in accordance with the GDPR. This means: recording the consent (whether written, oral or electronic); linking it to the individual; capturing when and how consent was given — and for what; and operating a clear process for withdrawal.

A template can be a useful starting point, but it must be adjusted to your specific processing. A generic template is likely to miss key details and may not fully meet GDPR requirements. Our advice ensures your wording is compliant, tailored to your organisation and communication style, and workable in practice. Where needed, address GDPR sharing information without consent explicitly in your notices and policies.

If consent is withdrawn, all processing based on that consent must stop. It must be as easy to withdraw as it was to give consent, and the individual must be told about this right at the point of collection. Ensure your records, including any GDPR cookie consent preferences, update promptly.

No. Consent does not have to be written under the GDPR; it can also be given orally or electronically. The key point is that you can prove consent was given and that it was voluntary, specific, informed and unambiguous. For certain scenarios — for example sensitive data — you may need explicit consent GDPR; be clear on what is GDPR consent and when explicit consent is required.

They are distinct lawful bases. Consent is used where the data subject has a free choice, for example newsletters or publishing images. Contract applies where processing is necessary to perform a contract, for example to deliver a service. It is essential to evaluate which lawful basis is most sustainable and appropriate in each case. In all cases, consent should always be GDPR-compliant when used, and GDPR consent should always be supported by evidence.

“GDPR sharing information without consent” requires careful analysis. In limited situations a different lawful basis may apply (for example, legal obligation or vital interests). In the absence of such a basis, do not share. Your governance, training and playbooks should spell out acceptable scenarios and escalation paths for GDPR sharing information without consent to avoid unlawful disclosure.

GDPR cookie consent concerns non-essential cookies and similar technologies. Consent must be granular, freely given, informed and unambiguous, collected before activation, and just as easy to withdraw. This sits alongside e-privacy rules. Build GDPR cookie consent preferences into your consent register and ensure that proofs (timestamp, context and scope) are retained.

Contact

Felix Morling

Contact us

If you prefer phone, please feel free to contact Felix Morling at +46 70 444 42 85

"*" indicates required fields