GDPR Compliant Consent Tracking

The typical ticked boxes in subscription forms are no more enough: in four months from now every company will have to ensure that the consents on processing of sensitive data.
GDPR Compliant Consent Tracking

The typical ticked boxes in subscription forms are no longer enough: in four months, every company will have to ensure that the consents to process sensitive data, even if collected before the GDPR comes into force, have been obtained lawfully and be able to provide legally valid proofs of records.

But what does this really mean?

Companies will have to:
A. implement procedures to collect the consent and inform users about the processing of their data;

A. Collecting Consents

Let’s dig a bit more into details.

To be allowed to process the personal data of European Citizens, companies must obtain consent from the users under free, specific, informed, granular, and explicit conditions.

  1. Consent should be voluntary and “opt-in”: silence, pre-ticketed boxes, and inactivity will not be allowed anymore.
  2. Data must be collected only for specific purposes, which cannot be widened after the initial agreement.
  3. Data subjects must be informed, meaning that they must be provided with a clear, easily accessible and plain explanation on the processing.
  4. For each purpose of processing, there should be a separate opt-in, to ensure granularity of consent.
  5. Last but not least, the consent must be given explicitly. Being in a digital or online context, companies can rely on electronic forms, emails, upload of scanned documents, electronic signatures, oral statements or a two-stage verification.

Companies have to implement procedures to inform users about the processing, to give them the chance to object to it and to control the further use of their data.

In addition to these practices - applied to Consents received from the GDPR on - companies have to review all the mechanisms they already have in place, to ensure privacy and security compliance and that all the elements of valid consent are covered also on old consents.

However, the new rules do not only affect the Client Side. There will also be precise requirements on the Server Side from the end of May on.

The GDPR is very specific on this point, it states two things:

  • obviously, not only the collection but also the storing of all these Consents must be implemented in a legally valid manner;
  • for each stored information, companies must be able to demonstrate that the collection has been done lawfully.

“Legally valid manner” is not so straightforward. As well as the term “lawfully”.

Which procedures have to be actually implemented to comply with the new rules?

There are three stages to be considered.

  1. First of all, the moment of collection. Companies are obliged not to include excessive amounts of sensitive data in processing activities when tracking collected consents: the information should be enough to show a link to the processing but no more than necessary. Also, at the end of the processing activity, proof of consent should be kept for no longer than strictly necessary.
  2. Secondly, the case of new/updated processing. Data subjects must remain well informed about how their health data is being used and how to exercise their rights; therefore, changes in the policies or on a lawful basis require refreshing consent. Providing all the information again at appropriate intervals is recommended even if no change in the conditions occurs.
  3. Lastly, the withdrawal of consent. If no other lawful basis to justify the processing exists, then the data should be deleted or anonymised. If the user exercises the right to be forgotten, then all the information must be erased.

In all cases, the controllers must be able to prove, for the entire duration of the data processing activity, that the subjects have given their consent, the exact purpose of collection and the GDPR compliant storage.

Even though, if presented in this way, the GDPR regulation on this topic seems to have no more secrets, the new process for Consent Management, to be implemented in a proper way, requires further experience, costs, time and implies risks.

C. Then, how helps you?

Implementing all requirements by yourself may become difficult, time-consuming, and risky in the event of errors. has developed a brand new feature to support you in GDPR compliance on consent tracking and to let you focus on your business.
It consists of an extremely simple digital health API that ensures compliance with all requirements and eliminates risks, which you can implement in less than 5 minutes.

With API, developers of digital health applications can store, update, and delete consents via 1 API call. In addition, they can search by User-Id, get full histories of operations with the consent of users and get the legally valid audit log in case of legal issues. Everything is accompanied by references to the Privacy Policy, User-Id, Data Controller Info, purposes for data processing and the accepted version of the policy.
Easy, right?

Talk to an expert