Complianz Privacy Suite

What is Proof of Consent?

Dr. Mathieu Paapst LLM cipm

Dr. Mathieu Paapst LLM cipm

Assistant Professor IT and Privacy Law at the University of Groningen (RUG), and Complianz Partner

Most Popular

What is UK – GDPR?

The Data Protection Act The Data Protection Act 2018 controls how your personal information is used by organisations,

Read More »

What is the CCPA?

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information

Read More »

Related articles

About Placeholders

This is an overview of articles concerning placeholders. Complianz can add placeholders for services like social

Read More »
Share on facebook
Share on twitter
Share on linkedin

There is a difference between Proof of Consent and Records of Consent. Although getting consent before processing personal information is sometimes required under certain privacy laws, there is no legal obligation within the GDPR to keep active records of each user’s consent. If the need arises you must simply be able to provide proof of consent that show a certain process did occur in obtaining consent.

Recital 42 GDPR states:

“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

According to the EU Data Protection Authorities, the controllers are free to develop methods to comply with this provision in a way that is fitting in their daily operations. At the same time, the duty to demonstrate that valid consent has been obtained by a controller, should not in itself lead to excessive amounts of additional data processing. This principle of data minimization (GDPR article 5) means that controllers should have enough data to show a  link to the processing  (to show consent was obtained) but they shouldn’t be collecting any more information than necessary. It is up to the controller to prove that valid consent was obtained from the data subject. According to the EU Data Protection Authorities, the GDPR does not prescribe exactly how this must be done.  The controller shall also be able to show that the data subject was informed and the controller ́s  workflow met all relevant criteria for valid consent.  The rationale behind this obligation in the GDPR is that controllers must be accountable concerning obtaining valid consent from data subjects and the consent mechanisms they have put in place.

With the registration and data minimization guideline combined, a website can offer the following 3 combined options:

  • A time-stamped Cookie Policy, which is relevant to the time of registering.
  • Consent management settings that are relevant to the time of consent. e.g., a cookie notice and other settings.
  • The possibility of revoking settings is in full control of the user. On-page as well.