GDPR Consent Form Template

A GDPR consent form is a structured mechanism for collecting and recording an individual's freely given, specific, informed, and unambiguous agreement to one or more defined data processing activities. Under GDPR Article 7, the controller must be able to demonstrate that consent was obtained — making the form's timestamp and per-purpose structure as important as the consent itself.

Use it whenever consent is your chosen lawful basis for processing personal data — typically for marketing communications, behavioral analytics, or any non-essential processing where legitimate interest or contract cannot apply. The trigger is specific: if you cannot point to another valid lawful basis under GDPR Article 6, a documented consent record is not optional.

Yes — bundling multiple purposes under a single checkbox violates the GDPR's specificity requirement. Each distinct processing activity (e.g., email marketing, third-party data sharing, profiling) must have its own opt-in field so that individuals can grant or withhold consent for each purpose independently. Pre-ticked boxes are explicitly prohibited and render consent invalid.

GDPR sets no fixed expiry, but the European Data Protection Board recommends reviewing and refreshing consent periodically — typically every 12 to 24 months — to ensure it remains current and informed. Consent also becomes invalid immediately if the processing purpose changes materially, if the original consent wording was ambiguous, or if a user exercises their right to withdraw.

The form must clearly identify the data controller, specify each processing purpose in plain language, name any third parties who will receive the data, explain the individual's right to withdraw consent at any time without detriment, and record the exact moment and version of consent granted. Vague language like 'we may use your data to improve our services' is insufficient and has been cited in regulatory enforcement actions.