Create consent form — GDPR-compliant and digital

An effective consent under the GDPR must meet four criteria: it must be voluntary, informed, unambiguous and for a specific purpose. Art. 7 GDPR specifies these requirements — and this is exactly where many forms used in practice fail. A pre-ticked checkbox does not meet the criterion of unambiguity. A blanket "I consent to everything" clause violates the purpose limitation.

In practice this means: separate the consents per processing purpose and describe each purpose in a way that a person with little technical understanding can comprehend. Link to a detailed privacy policy and ensure that all fields are empty when the form is loaded. Additionally document that the consenting person actively clicked the options — this is later the decisive evidence in case of dispute. Do not forget the reference to the right of withdrawal: without this information, the consent is not effective.

Anyone who wants to cover several processing purposes — such as photo use, newsletter dispatch and data transfer to partners — needs a separate checkbox for each purpose. The bundled consent "I accept the terms" is practically always vulnerable in the GDPR context. Build the form so that each consent has a short, clear description next to it: "I consent to my photos being published on the website." instead of "I accept the photo terms."

Distinguish between mandatory and voluntary consents. Mandatory are only those that are actually necessary for the provision of the service — such as the processing of address data for shipping. Anything beyond that is voluntary and must not block the main service ("prohibition of coupling"). With conditional logic you can show follow-up questions as soon as someone gives certain consents — such as asking about the preferred newsletter format as soon as the newsletter consent is given. This keeps the form lean and respects the choice of the person.

The GDPR has an accountability obligation: you must be able to prove at any time that a valid consent exists. This only works with a clean audit log that contains at least four fields per consent: who consented (anonymous ID or full name), when (timestamp), to which purposes (binding list) and in which version of the privacy policy. The latter is important because the privacy policy changes over time — but the consent always relates to the version at that time.

Additionally save the exact wording that was agreed to as a snapshot. Anyone who has to prove five years later what the person read is otherwise dependent on reverse engineering of the templates. The audit log should be immutable — append-only, ideally with cryptographic integrity check. Ensure that authorized people can view the log without being able to manipulate it. With requests from supervisory authorities you are then able to provide information within minutes instead of searching through old emails for weeks.

A consent must be "as easy to withdraw as to give" — that is a hard requirement of the GDPR. Anyone offering granting with one click must also enable withdrawal with one click. In practice this means: a self-service link in every email, a dedicated withdrawal page with the same level of granularity as the consent form, and no obligation to re-identify with an ID card.

Build the withdrawal workflow so that it marks the original consent in the audit log and does not delete it. You keep the evidence that consent existed at the time but document the withdrawal with timestamp. Automatically trigger downstream systems via webhook — such as the newsletter list or CRM — so that the data is consistently deleted or blocked there. Confirm the withdrawal by email to the person, with a clear note about what is no longer being processed. This transparency increases trust — paradoxically, many companies experience that people consent again later after a smooth withdrawal process.