Controllers are free to develop methods to comply with this provision in a way that is fitting in theirdaily operations. At the same time, the duty to demonstrate that valid consent has been obtained bya controller, should not in itself lead to excessive amounts of additional data processing. This meansthat controllers should have enough data to show a link to the processing (to show consent wasobtained) but they shouldn’t be collecting any more information than necessary.

t is up to the controller to prove that valid consent was obtained from the data subject. The GDPRdoes not prescribe exactly how this must be done. However, the controller must be able to prove thata data subject in a given case has consented. As long as a data processing activity in question lasts, the

In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected. These records must show: when consent was provided;who provided the consent;what their preferences were at the time of the collection;which legal or privacy notice they were presented with at the time of the consent collection;which consent collection form they were presented with at the time of the collection.

Because consent under the GDPR is such an important issue, it’s mandatory that you keep clear records and that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital.

Keeping comprehensive records that include a user ID and the data submitted together with a timestamp. You also keep a copy of the version of the data-capture form and any other relevant documents in use on that date.

Furthermore, the consent-based regime creates an obligation to document that consent was lawfully given.

See a full history of user consents and data requests. Use the records to prove your compliance in case of an audit by data protection authorities.

These records should include a userid, timestamp, consent proof, record of the consenting action, and the legal documents available to the user at the time of consent, among other things.