What is the consent register?

Are there contact forms or newsletter subscription forms on your website?

If you use user data collected through forms for profiling and marketing activities, you need a consent archive! archivio dei consensi!

"And what would that be?" The consent register is a document or a digital system where consents provided by users for the processing of their personal data are recorded. That's it in a nutshell.

Why is the consent archive important?

This register serves to demonstrate that consents have been obtained in compliance with the rules established by the GDPR, and that they can be verified at any time by the competent authorities.

Maintaining a consent register is therefore crucial to demonstrate compliance with GDPR. In case of inspections by the Data Protection Authority or complaints, the consent register serves as proof that the company has complied with data protection regulations. Moreover, it helps maintain transparency and build trust with customers. In short, it could be a truly life-saving tool for your business!

How to store consent for processing

How to store consent for processing

Since consent under GDPR is a fundamental aspect, it is mandatory to maintain clear records and document that the user has actually provided their consent.

In case of disputes, it is the responsibility of the data controller, i.e., the website owner, to provide proof of consent, making accurate record-keeping essential.

According to Article 30 of GDPR, records should include:

  • the identity of who provided the consent;
  • the time and method by which consent was obtained from the individual user;
  • the consent collection form presented at the time of acquisition;
  • the conditions and legal documents applicable at the time consent was obtained.

A useful tool for easily and centrally managing consents for your data collection forms on the Avacy platform. With Avacy's consent archive, you can customize and integrate your forms to collect and document consent in compliance with GDPR.

Updating the consent register: why is it important?

There are several reasons why it's important to constantly update the consent archive:

  • GDPR Compliance: the General Data Protection Regulation (GDPR) requires companies to demonstrate that consent for personal data processing has been obtained validly. An always up-to-date register helps meet this legal requirement.
  • Prevent unlawful processing: an updated register allows avoiding improper use of personal data, ensuring that consents are current and reflect users' preferences and authorizations.
  • Managing user requests: data subjects have the right to modify or revoke their consent at any time. Maintaining an updated register allows responding quickly and effectively to these requests.
  • Demonstrating consent: in case of disputes or audits by authorities, an updated register constitutes proof that consent was obtained correctly and in compliance with regulations.
  • Transparency and trust: keeping the consent register updated demonstrates responsibility and transparency, strengthening users' trust in the company.

How often should the register be updated?

The GDPR consent register must be kept constantly updated. There is no specific frequency established by the regulation, but it is essential that the register always reflects the effectiveness of ongoing processing.

In practice, you should update the register whenever there are changes in personal data processing, such as variations in the types of data processed, processing methods, or changes by the user to their preferences.

Furthermore, it's important to update the register following regulatory changes that may affect ongoing processing.

If you don't keep the GDPR consent register updated, you could incur several negative consequences:

  • Administrative sanctions: control authorities can impose significant fines. Sanctions can reach up to 20 million euros or 4% of the company's global annual turnover, whichever is higher.
  • Criminal sanctions: in some cases, non-compliance can lead to criminal sanctions, especially if the violation causes significant damage to data subjects.
  • Compensation for damages: data subjects can request compensation for damages suffered due to non-compliant management of their personal data.
  • Temporary processing ban: authorities can impose a temporary ban on personal data processing until compliance with regulations is restored.

Keeping the consent register up to date is therefore essential to avoid these consequences and ensure proper and transparent management of personal data.

What does this mean for a website or e-commerce owner?

Managing the GDPR consent register is a fundamental task for every website owner, requiring a series of targeted actions to ensure both compliance with regulations and transparency towards users.

To begin with, it's essential to implement a consent collection system that uses effective tools, such as cookie banners, registration forms, or contact forms, thus allowing to record user authorizations in a clear and direct manner.

In parallel, it's fundamental to maintain a detailed record of all consents obtained. This rigorous documentation is crucial to demonstrate compliance with regulations in case of audits or requests from authorities.

Another important aspect is the regular updating of the register, ensuring that it reflects any changes in personal data processing or privacy policies. Transparency should always be at the center of the consent management strategy, so the privacy policy must be clear, understandable, and easily accessible. Users need to know exactly what data is being collected, for what purposes, and how it will be used, to feel safe in their navigation.

Finally, it's essential to guarantee users the possibility to revoke consent at any time. This revocation must be simple and immediate, to ensure that users can manage their preferences as easily as they provided initial consent. Creating an intuitive mechanism for revocation not only respects regulations but also demonstrates a strong commitment to protecting users' privacy.

Complying with the regulation is fundamental, otherwise you risk incurring significant sanctions.

In fact, control authorities can impose fines of up to 20 million euros or 4% of the company's global annual turnover, whichever is higher. In any case, it's better not to risk it. 

How to obtain valid consent from users

Here are the key steps to ensure that consent is compliant:

  • Free: consent must be given freely, without coercion or deception. Users must have the option to choose without suffering negative consequences.
  • Informed: users must be informed clearly and comprehensibly about what data will be collected, for what purposes, and how it will be used. The privacy policy must be easily accessible and detailed.
  • Specific: consent must be specific for each processing purpose. Generic consent for multiple purposes is not valid. Each purpose must be clearly indicated and separated.
  • Unambiguous: consent must be expressed through a clear and affirmative action, such as selecting a checkbox. Implicit or presumed consent, such as pre-selected boxes, is not valid.
  • Revocable: Users must be able to revoke their consent at any time, as easily as they provided it. You must inform users on how they can withdraw their consent.
  • Documented: maintain a detailed record of consents obtained, including information such as the date, time, IP address, and content of the information provided at the time of consent

How to be compliant easily

Complying with regulations may seem like a very difficult technical undertaking. Fortunately, Avacy has advanced solutions that greatly simplify the process of compliance with various regulations.

Avacy has all the necessary tools to facilitate compliance with privacy laws. With the consent archive, Avacy allows you to store and manage the "proof" of your users' consent in compliance with GDPR.