Overview
Draft consent forms and consent notices for personal data processing under GDPR Article 7. Covers all conditions for valid consent: freely given, specific, informed, unambiguous. Includes validation against EDPB Guidelines 05/2020.
Getting Started
Add your source materials to the project workspace, then activate the GDPR Consent Form (Art. 7) skill. The agent will guide you through the process step by step.
Example Conversation
Below is an example of how a typical consent form drafting session unfolds. The agent identifies purposes, drafts a granular consent form, and validates it.
You: We need a GDPR consent form for our SaaS platform. We want to send marketing newsletters by email and use cookies for analytics tracking. Some users also opt into a wellness feature that collects health data.
Agent: I’ll draft a consent form with three separate purposes, each with its own opt-in checkbox: (1) marketing newsletters, (2) analytics cookies, and (3) health data for the wellness feature. Since health data is special category data under Art. 9, that purpose will require explicit consent — a plain checkbox isn’t enough, so I’ll include a two-step confirmation mechanism. Let me load the reference and template.
You: Go ahead. Our DPO is privacy@acme.eu .
Agent: I’ve created
consent-form.mdwith three granular purposes, controller identity, DPO contact, withdrawal mechanism (email to privacy@acme.eu or in-app toggle), consequences of refusing each purpose, and a link to your privacy notice. The health data section uses a two-step process: checkbox acknowledgement followed by a confirmation email. Let me run the validation tool.You: Yes, validate it.
Agent: I ran
validate_gdpr_consent. Result: 8/8 core elements present. Art. 9 special category data detected — explicit consent mechanism found. Purpose granularity: 3 distinct purposes detected. All checks passed.
Sample Output Excerpt
Below is a representative excerpt from a consent form showing one standard purpose and the special category data section.
1. Purposes and data categories
Please tick each purpose you consent to:
Marketing newsletters: Sending product updates, feature announcements, and promotional offers by email.
- Data collected: name, email address, communication preferences.
Analytics tracking: Using cookies to analyse browsing behaviour and improve website performance.
- Data collected: IP address (anonymised), cookies, page views, session duration.
2. Special category data (Art. 9)
- Step 1: I acknowledge that my health data (blood pressure readings, activity levels) will be processed for the purpose of providing personalised wellness recommendations within the app.
- Step 2: A confirmation email will be sent to your registered address. Click the confirmation link to finalise your explicit consent.
3. Right to withdraw consent (Art. 7(3))
You have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
How to withdraw: Send an email to privacy@acme.eu with the subject “Withdraw consent”, or use the consent management panel in your account settings.
Built-in Validation Tools
The skill includes an extension tool that checks consent documents for GDPR Art. 7 compliance and EDPB Guidelines 05/2020 conditions.
What the tool checks
| Check | Description |
|---|---|
| Lawful basis | Verifies a reference to Art. 6(1)(a), Art. 7, or GDPR as the legal basis for consent |
| Specific purposes | Detects purpose statements in the document |
| Withdrawal mechanism | Checks for withdrawal/revocation language and instructions |
| Freely given | Looks for indicators that consent is voluntary and not bundled with service access |
| Controller identity | Verifies the data controller is identified |
| Data categories | Checks that categories of personal data are listed |
| Privacy notice link | Verifies a reference to the Art. 13/14 privacy notice |
| Consent records | Checks for form version and timestamp fields for demonstrable consent (Art. 7(1)) |
| Art. 9 explicit consent | If special category data is detected, verifies an explicit consent mechanism (signed statement or two-step process) is present |
| Purpose granularity | Warns if fewer than two distinct purposes are found, prompting manual verification |
Run validate_gdpr_consent on the consent form after drafting or updating to ensure completeness.