GDPR Requirements for Creating a Legal Consent
Creating a legally valid consent requires more than a signature. GDPR sets specific conditions that must be met before consent can be considered lawful. Skyfish helps you structure and manage the process, but you still control whether the content you create actually meets GDPR standards.
Below is a summary of the core requirements normally expected under GDPR when collecting consent for image use.
Below is a summary of the core requirements normally expected under GDPR when collecting consent for image use.
Consent must be informed
Signers must understand:
If this isn’t stated clearly, the consent may not meet GDPR expectations.
- who is collecting their data
- what the images/videos will be used for
- where the material may appear
- how long the consent is valid
- how they can withdraw their consent
If this isn’t stated clearly, the consent may not meet GDPR expectations.
Consent must be specific
A vague “for communication purposes” statement rarely satisfies GDPR.
Purpose must be:
Skyfish supports this by letting you define a Consent Purpose, but the clarity of that purpose is still your responsibility.
-
- concrete
- narrowly defined
- directly tied to the images being used
Skyfish supports this by letting you define a Consent Purpose, but the clarity of that purpose is still your responsibility.
Consent must be freely given
Signers must have a genuine choice. If signing feels mandatory or tied to access to a service, the consent may not hold up.
Consent must be unambiguous
There must be a clear, affirmative action, which the digital signature provides. Skyfish handles this part (assuming your template is correctly written).
Consent must be easy to withdraw
GDPR expects withdrawal to be as easy as giving consent. This means your template must include:
Skyfish does not insert withdrawal instructions for you, so you must add these manually.
- a clear explanation of how to withdraw
- the correct email address or contact point
Skyfish does not insert withdrawal instructions for you, so you must add these manually.
Consent must be documented
Skyfish stores the signed Digital Consent and makes it linkable to files, which supports auditability.
If consent is withdrawn, you are expected to:
Skyfish enforces the “stop using the media” part by blocking downloads when the consent is removed.
- keep a record (by exporting the signed document before deletion)
- stop using any affected media
Skyfish enforces the “stop using the media” part by blocking downloads when the consent is removed.
What Skyfish provides vs. what you must provide
Skyfish provides:
You provide:
Skyfish cannot determine whether your template meets GDPR requirements, but it gives you the tools to manage the consent properly once you have it.
- the structure
- the signature workflow
- the storage
- the linking functionality
- the automated download blocking
- the consent lifecycle management tools
You provide:
- the template text
- the purpose definition
- the privacy policy link
- the withdrawal contact
- internal compliance procedures
Skyfish cannot determine whether your template meets GDPR requirements, but it gives you the tools to manage the consent properly once you have it.