GDPR does not permit bundled consent. An institution cannot present a single checkbox that reads "I consent to use of my personal data" and satisfy the Act's requirements. Each purpose for which personal data is processed requires a separate, specific, freely given consent — and the borrower must be able to grant consent for some purposes and withhold it for others. The Consent Management Agent AI implements this requirement as a set of discrete consent modules — one per processing purpose — that capture, record, and enforce permissions at the granularity the GDPR demands.
What the GDPR requires — and what lenders have typically been doing instead
GDPR specifies five requirements for valid consent in the European context: it must be free (not coerced or bundled with a non-negotiable take-it-or-leave-it); it must be specific (one consent per purpose, not a blanket authorisation); it must be informed (the borrower must understand what they are consenting to in plain language); it must be unconditional (consent cannot be made a precondition for an unrelated service); and it must be capable of being withdrawn at any time. A consent architecture that satisfies all five requirements looks nothing like the typical single-checkbox form that most European lenders were using before the GDPR came into force.
The typical pre-GDPR consent approach embedded a 400-word legal paragraph at the bottom of the application form, linked it to a tickbox, and treated a ticked box as omnibus consent for every data processing activity — marketing, bureau pulls, LSP sharing, analytics, and regulatory reporting alike. The GDPR makes this approach non-compliant: each of those five processing activities requires its own consent capture, its own plain-language explanation, and its own record.
"A consent that covers everything covers nothing specifically. The GDPR requires the borrower to know what they are agreeing to — and that knowledge requires a separate explanation for each thing."
The consent module framework: mandatory, purpose-linked, and granular
🔒
Module 1 — Loan processing and credit assessment
Your application data (income, identity, existing liabilities) is used to assess your eligibility and process your loan application. This includes a credit bureau enquiry.
Mandatory · Cannot opt out
This is a legitimate interest / contractual necessity under GDPR Section 7(b) — consent is not required because the processing is necessary to fulfil the contract the borrower is entering into. The module is displayed for transparency but cannot be unchecked. The bureau enquiry is a hard enquiry and the borrower is informed it will appear on their credit bureau report.
→ Legal basis: GDPR Section 7(b) (contractual necessity) · Consent not required but processing disclosed
🔒
Module 2 — Regulatory compliance and reporting
We are required by the ECB / EBA to report your loan account to credit bureaus monthly, to submit your KYC / AML to the Central KYC / AML Registry, and to file regulatory returns that include anonymised account data.
Mandatory · Legal obligation
Processing for regulatory compliance is permitted under GDPR Section 7(d) — legal obligation. The institution is required by law to report to credit bureau, submit to CKYCR, and file regulatory returns. The borrower cannot opt out of processing that the institution is legally required to perform. The module explains this clearly rather than hiding it in a footnote.
→ Legal basis: GDPR Section 7(d) (legal obligation) · Cannot be opted out · Disclosure required
✓
Module 3 — Sharing with Lending Service Providers (LSPs)
To process your application and manage your loan, we share your data with service providers we have appointed — including technology platforms, collections agencies, and field verification agents. They are bound by data protection agreements.
Opted in
LSP sharing is a consent-required purpose under the GDPR — it goes beyond the direct lender-borrower contract and involves third parties. The specific LSPs and the categories of data shared with each must be disclosed. Withdrawing this consent after loan origination does not stop collections activity (which continues under contractual necessity) but stops sharing with analytics and marketing vendors.
→ GDPR consent required · Specific LSPs listed in Schedule · Withdrawal stops non-essential sharing only
✓
Module 4 — open banking / PSD2 aggregator data access
With your permission, we can pull your bank statements directly via the open banking / PSD2 data framework — this replaces uploading physical bank statements and speeds up processing. You can revoke this access at any time via your AA app.
Opted in
AA data access is explicitly consent-required under the ECB / EBA's open banking / PSD2 data framework and GDPR. The borrower's consent is time-limited and purpose-specific — granted for "loan processing at [institution], valid for 90 days." Revocation is available at the AA level (the borrower's AA app) independently of the institution, which the module discloses explicitly.
→ AA framework consent · Time-limited: 90 days · Revocable independently via Anumati / Sahamati AA app
✗
Module 5 — Marketing communications — similar products
We may contact you from time to time with information about our other loan products, interest rate offers, and financial services that may be relevant to you. This is entirely optional.
Opted out
Marketing consent is the clearest example of GDPR's "freely given" requirement — the borrower's access to the loan cannot be made conditional on accepting marketing communications. The module is displayed as an optional checkbox that defaults to unchecked (opt-in, not opt-out). If the borrower leaves it unchecked, no marketing communication is sent — and the consent record shows the borrower actively saw and declined this module.
→ Opt-in required · Defaults unchecked · Does not affect loan access · Withdrawal stops all marketing immediately
✗
Module 6 — Analytics and product improvement
With your permission, we use anonymised data from your application and loan behaviour to improve our products and credit models. Your individual data is never sold or shared with external analytics companies.
Opted out
Internal analytics and model improvement is a consent-required purpose that is often incorrectly categorised as a legitimate interest. Using a borrower's data to improve the institution's credit scoring model is not necessary for the borrower's loan — it benefits the institution and future borrowers. The GDPR requires consent for this purpose. The institution may use aggregated, truly anonymised data without consent — but individual-level model training data requires it.
→ Opt-in required · Defaults unchecked · Anonymised aggregate data continues without consent
✗
Module 7 — Cross-selling — third-party financial products
You agree to be contacted by our partner financial services companies — including insurance providers and investment platforms — whose products may be relevant to your financial situation.
Opted out
Third-party marketing requires explicit, separate consent — sharing a borrower's contact details with a partner insurance company is not contemplated by the loan contract and cannot be treated as a legitimate interest. This module is the most frequently unchecked in borrower populations — awareness of third-party data sharing tends to produce active opt-outs. The institution cannot bundle this with any other consent module.
→ Strictly opt-in · Third-party partners listed in Schedule B · No default sharing without explicit grant
The consent capture screen: what the borrower sees
Your Data — Your Control · Application LA-2025-9841 · Ananya Krishnamurthy
GDPR compliant consent · Nov 14, 2025 · 10:04:18
Before we process your application, we want to be clear about how we use your data. Some uses are necessary for your loan — others are optional. Please review each below. You can change these settings at any time in your account.
🔒
Loan processing and credit check
We use your data to assess your application and pull your credit report. This is necessary to process your loan.
Required
🔒
Regulatory reporting
We report your account to credit bureau monthly and submit KYC / AML to CKYCR as required by the ECB / EBA.
Required by law
✓
Sharing with our service providers
Vendors who help us process your application and manage your account. Full list in Schedule A.
✓
Bank statement access via open banking / PSD2 aggregator
Speeds up your application — replaces uploading PDFs. Valid for 90 days. Revocable in your AA app.
□
Updates about our products (optional)
Occasional messages about relevant loan offers and rate changes. You can unsubscribe at any time.
□
Help us improve (optional)
Using your anonymised data to improve our products. No individual data is shared externally.
□
Offers from our partner companies (optional)
Insurance and investment products from companies we partner with. Partner list in Schedule B.
7Consent modules — 2 mandatory disclosures (legal basis) · 5 optional (genuine consent) · Each with plain language explanation
SpecificOne purpose per module — no bundling · Borrower can grant some and withhold others without affecting loan access
Opt-inAll optional modules default unchecked — the borrower must actively tick, not untick, for optional processing
Any timeEvery consent module withdrawal-capable at any time — including after loan disbursement
A consent architecture designed for compliance is not the same as a consent architecture designed for borrowers
A consent screen designed purely for GDPR compliance can be technically lawful and practically unintelligible — seven separate consent requests, each with legal language, presented at the moment the borrower is most focused on getting their loan approved. The Consent Management AI's module framework is designed for both: each module's plain language explanation is tested for comprehension, not just legal accuracy. A borrower who cannot understand what they are consenting to is not giving informed consent. The GDPR's "informed" requirement is not satisfied by making the information available in a privacy policy — it is satisfied when the borrower understands what they are agreeing to before they click. The consent screen is the compliance act. The privacy policy is the reference document.
