What Is GDPR and Why Consent Matters

Unlock the full meaning of GDPR and master consent requirements with our comprehensive guide. Learn what GDPR is, why consent matters, and how to stay compliant.

GDPR Explained: What Is GDPR, DSGVO, and RGPD?

Introduction to GDPR, DSGVO, RGPD

The General Data Protection Regulation (GDPR) is the EU’s landmark privacy law designed to give individuals more control over their personal data. Since coming into force on May 25, 2018, GDPR has reshaped how organizations collect, process, and store personal information. Non-compliance can lead to fines of up to €20 million or 4% of global turnover per violation, making GDPR compliance essential for any business operating in or targeting the EU market.

The General Data Protection Regulation (GDPR) is referred to as DSGVO in Germany, and as RGPD in French, Spanish, Italian, and Portuguese-speaking countries.

What does GDPR stand? (GDPR Meaning Explained)

  • GDPR meaning: A regulation that standardizes data protection across all EU member states.

  • Scope: Applies to any organization, regardless of location, that processes the personal data of EU residents.

  • Key Objectives:

    1. Data Subject Rights: Grant individuals rights like access, correction, deletion, and data portability.
    2. Accountability: Require businesses to demonstrate compliance through documentation and processes.
    3. Security: Mandate robust technical and organizational safeguards to protect personal data.

Why GDPR Compliance Matters

  1. Avoid Heavy Fines: Up to €20 million or 4 percent of global annual revenue per infraction.
  2. Build Trust: Demonstrating strong data protection practices enhances brand reputation.
  3. Competitive Advantage: GDPR-compliant businesses stand out in privacy-focused markets.

UniConsent’s platform simplifies GDPR compliance by automating consent collection, management, and audit trails—ensuring you meet all requirements today and tomorrow.

Understanding Consent Under GDPR

What Is Consent? (Consent Definition)

Under GDPR, consent is defined as a “freely given, specific, informed, and unambiguous indication of the data subject’s wishes.” It must be:

  • Active: Affirmative action such as ticking an unchecked box.
  • Informed: Clear explanation of who is collecting data, why, and for how long.
  • Specific: Separate consents for different processing activities.
  • Revocable: Users must be able to withdraw consent at any time without detriment.

Acceptable Forms of Consent

  • Checkboxes (unchecked by default) on web forms.
  • Electronic statements (e.g., clicking “I agree”).
  • Oral confirmations documented by the controller.
  • Technical settings (e.g., privacy dashboards).

Unacceptable Consent Practices

  • Pre-ticked boxes or inactivity (silence does not equal consent).
  • Bundled consents (one click for multiple unrelated purposes).
  • “Scroll-through” agreements where continuing to browse equals consent.

Key GDPR Articles on Consent

GDPR ReferenceSummary
Art. 4(11)Defines consent as “freely given, specific, informed and unambiguous.”
Art. 7(1–4)Outlines conditions for valid consent and obligations of controllers.
Recital 32Advises clear, concise language and visual aids to explain consent requests.
Recital 42–43Emphasizes free choice, separate consents, and no detriment for withdrawal.

Best Practices for GDPR Consent Management

  1. Transparent Notices: Use plain language and visual cues to explain data uses.
  2. Granular Options: Allow users to consent separately to marketing, analytics, and personalization.
  3. Easy Withdrawal: Provide a clear “Withdraw Consent” link in every email or privacy dashboard.
  4. Audit Trails: Log timestamps, consent versions, and user actions to demonstrate accountability.

Understanding GDPR Fines

The General Data Protection Regulation (GDPR) imposes strict penalties on organizations that fail to comply with its data protection requirements. These fines are designed to ensure accountability and encourage proper handling of personal data across the EU and beyond.

Two Tiers of GDPR Fines

GDPR enforcement distinguishes between two levels of infringements, each with its own maximum fine:

1. Lower Tier Fine: Up to €10 million or 2% of Global Annual Turnover

Applies to violations such as:

  • Failing to maintain proper records of processing activities
  • Not notifying the supervisory authority or data subjects about a data breach
  • Inadequate data protection by design and by default
  • Lack of data processing agreements with third parties

2. Higher Tier Fine: Up to €20 million or 4% of Global Annual Turnover

Applies to more serious violations, including:

  • Breaching basic principles of data processing, such as lawfulness, fairness, and transparency
  • Unlawful processing of special categories of data
  • Failing to obtain valid consent
  • Infringing on data subject rights (access, erasure, portability, etc.)

Using tools like UniConsent helps businesses stay aligned with GDPR requirements by offering automated consent management, real-time audit trails, and customizable privacy settings—minimizing the risk of costly penalties.

GDPR Compliance Checklist

Ensure your organization meets the requirements of the General Data Protection Regulation (GDPR) with this practical checklist. Use it to identify gaps and maintain full compliance:

1. Lawful Basis for Data Processing

  • Identify and document the legal basis for all data processing activities.
  • Ensure consent is freely given, specific, informed, and unambiguous where required.

2. Transparent Data Collection

  • Provide clear and accessible privacy notices.
  • Inform users about what data is collected, how it’s used, and who it’s shared with.

3. Consent Management

  • Implement a GDPR-compliant consent mechanism.
  • Allow users to easily opt in or out of non-essential cookies and data tracking.

4. Data Subject Rights

  • Enable users to exercise their rights: access, rectification, erasure, restriction, portability, and objection.
  • Respond to data subject requests within one month.

5. Data Protection by Design

  • Integrate data protection measures into your systems and processes from the outset.
  • Limit data collection and retention to what is necessary.

6. Third-Party Data Sharing

  • Audit all third-party services and ensure Data Processing Agreements (DPAs) are in place.
  • Only share data with processors that are GDPR-compliant.

7. Data Security Measures

  • Use appropriate technical and organizational measures to secure personal data.
  • Regularly assess and update security protocols.

8. Records of Processing Activities

  • Maintain internal records of data processing operations.
  • Include purposes of processing, categories of data, data recipients, and retention periods.

9. Data Breach Response Plan

  • Establish a clear protocol for detecting, reporting, and investigating data breaches.
  • Notify the supervisory authority within 72 hours of a breach when required.

10. Regular Compliance Reviews

  • Conduct periodic audits of data protection practices.
  • Update policies and procedures to reflect changes in law or data use.

How to Create a GDPR Privacy Policy

A GDPR-compliant privacy policy is essential for any organization that collects, processes, or stores personal data of individuals in the European Union. It builds trust, ensures transparency, and fulfills one of the key obligations under the General Data Protection Regulation (GDPR).

What Is a GDPR Privacy Policy?

A GDPR privacy policy is a public-facing document that explains how your organization collects, uses, stores, shares, and protects personal data. It also outlines the rights of data subjects and how they can exercise those rights.

Under Article 12 of the GDPR, the information must be presented in a concise, transparent, intelligible, and easily accessible form using clear and plain language.

Key Elements of a GDPR Privacy Policy

  1. Identity and Contact Details
  2. What Data You Collect
  3. How and Why You Collect Data
  4. Data Sharing and Third Parties
  5. How Long You Keep Data
  6. Data Subject Rights
  7. Use of Cookies and Tracking
  8. Security Measures
  9. How to File a Complaint

Creating your privacy policy from scratch can be time-consuming. Use UniConsent’s free Privacy Policy Generator to instantly create a GDPR-compliant privacy policy tailored to your business needs.

GDPR Countries: Who Is Covered by the Regulation?

The General Data Protection Regulation (GDPR) applies to all countries within the European Economic Area (EEA) — which includes the European Union (EU) member states plus a few non-EU countries. It also applies to organizations outside these countries that process the personal data of individuals located within the EEA.

EU Member States (27 countries)

  1. Austria
  2. Belgium
  3. Bulgaria
  4. Croatia
  5. Cyprus
  6. Czech Republic
  7. Denmark
  8. Estonia
  9. Finland
  10. France
  11. Germany
  12. Greece
  13. Hungary
  14. Ireland
  15. Italy
  16. Latvia
  17. Lithuania
  18. Luxembourg
  19. Malta
  20. Netherlands
  21. Poland
  22. Portugal
  23. Romania
  24. Slovakia
  25. Slovenia
  26. Spain
  27. Sweden

EEA Non-EU Countries

  1. Iceland
  2. Liechtenstein
  3. Norway

UK and UK GDPR

The UK is no longer part of the EU or EEA but has implemented its own version of the GDPR known as the UK GDPR, which closely mirrors the EU regulation. Organizations processing data from UK residents must comply with UK GDPR.

Common GDPR Compliance Caveats

  • Not Just Checkboxes: True GDPR compliance goes beyond ticking a box; it requires ongoing governance and documentation.
  • Third-Party Cookies: Ensure any external trackers on your site are covered by your consent mechanism.
  • UK vs. EU GDPR: While similar, the UK GDPR incorporates slight differences post-Brexit—review both if you operate in both jurisdictions.

Consent Law and GDPR Compliance

Ch. I, Art. 4(11); Ch. II, Art. 7, §§ 1-4. "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should __not__therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” Recital ¶ 32. Information supporting the consent must be "concise, easily accessible and easy to understand, and … clear and plain language and, additionally, where appropriate, visualisation [must] be used," where it is "difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.” Recital ¶ 58.

"Safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. … [A] declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plan language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." Recital ¶ 42. "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." Recital ¶ 43, Ch. II, Art. 7, § 4.

"Scrolling down or swiping through terms and conditions which include declarations of consent (where a statement comes up on screen to alert the data subject that continuing to scroll will constitute consent) will not satisfy the requirement of a clear and affirmative action". - from the article 29 Working Party.

Consent Law and GDPR Compliance Overview

Consent

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her.

Acceptable Forms of Consent

Valid and compliant user consent shall be for example, a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Unacceptable Forms of Consent

Silenced, pre-ticked boxes or inactivity should not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Clear, concise and understandable

Information supporting the consent must be concise, easily accessible and easy to understand. It must be presented using clear and plain language and, additionally, where appropriate, visualisation must be used, where it is difficult for the user to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.

Appropriate Safeguards

Safeguards should ensure that the user is aware of the fact that and the extent to which consent is given. Declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the user should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the user has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

GDPR Compliance Caveats

Being Compliant with the GDPR is not as easy as agreeing to terms and conditions, it involves much more than scrolling down or swiping through terms and conditions which include declarations of consent (where a statement comes up on screen to alert the data subject that continuing to scroll will constitute consent), this kind of setup will not satisfy the requirement of a clear and affirmative action for consent.

Further Reading on GDPR and Consent

By understanding the meaning of GDPR and implementing robust consent processes, your organization can not only avoid penalties but also build stronger, trust-based relationships with customers. Start your GDPR compliance journey today with UniConsent’s streamlined solutions.

UniConsent Consent Manager for GDPR Compliance

  • Certified IAB CMP
  • Google Consent Mode v2 support
  • Fully customisable multiple stages
  • One-tag Implementation
  • Google Tag Manager support
  • Tracking and insight
  • Multiple languages support
  • IAB TCF and Google DFP support
  • Prebid GDPR CMP API support
  • JavaScript tags blocking and cookies blocking
  • Cookies scan and disclosing
  • Certified by IAB Europe
  • Easy self-serve solution
  • Learn more from GDPR Summary

IAB registered consent manager for GDPRIAB TCF V2 registered consent manager for GDPRIAB TCF Canada registered consent managerGoogle-certified CMPGoogle-certified CMP

Comply With Global Privacy Regulations

Trusted by 5000+ of global publishers and marketers
  • sej
  • football365
  • sharethrough
  • districtm
  • pf1
  • tower cast

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up