Exercising your GDPR Rights – your right to withdraw your consent – Article 7(3)

Like a 6am aerobics class that you regret signing up for, it’s important to be able to change your mind and withdraw from a class or activity you agreed on doing. The GDPR does the same for you regarding your data and this is where Article 7(3) comes in.

Your Right to Withdraw Your Consent

Like an exercise class that seemed like a good idea at the time, it’s important to be able to change your mind and withdraw from certain things you sign up for. The GDPR ensures that the same is possible when you give your consent to have your data processed; under Article 7(3) GDPR, you have the right to withdraw your consent for processing your data at any time. Before the GDPR, a right to withdraw consent did not explicitly feature in EU law; its inclusion in the GDPR is an important clarification of the body of data protection rights available to people in the EEA.

However, most of the advice on withdrawing consent that is currently available focuses on telling companies and organisations how they should structure their business practices. In comparison, there is almost no guidance out there that helps direct individuals in how they can go about asserting the right to withdraw consent. This is where the moves below come in – read on to find out how you can exercise your right to withdraw your consent …

Step 1: Identify where you need to send your declaration of withdrawal

Step 2: Drafting your declaration

Step 3: Controller response

Step 4: Mismatch between how I gave and how I can withdraw my consent?

 

What does consent look like under the GDPR? What is the role of consent in the GDPR ?

Under the GDPR, consent is only one of six bases that a company, organisation or other entity must use in order to legally process your data. Consent must be a “freely given, specific, informed and unambiguous indication” via a statement or clear affirmative action, that you agree to the processing of your data.

The legal basis used to process your data should be explained in the privacy policy or terms of use of the organisation or company processing your data. If you can’t find that information, then the other party is in breach of their GDPR transparency obligations, and you are entitled to access that information via an access request. (To make one of these, see our advice for exercising your right to access).

In which case can I withdraw my consent?

Your right to revoke you consent is only applicable when the processing of your data is based on  consent. When the processing is based on it being necessary to perform a contract (e.g. your address for the delivery of goods), or to meet a legal requirement (e.g. communication by your employer of your social security data for processing income tax), this right of withdrawal does not apply.

If this information is difficult to find, or it does not seem to be in the privacy policy, that’s the fault of the controller, not you. The GDPR requires controllers to specify the legal basis they are using to process your data, in a clear and readable format, before you agree to the processing.  You are also entitled to ask the controller to inform you of the legal basis of the processing and to receive this information within one month of asking the controller. (click here to find out how you can exercise your right to access this information).

What are the consequences of withdrawing my consent?

The controller must stop the processing of your data and (delete them) as soon as you withdraw your consent. The right to withdraw consent is not retroactive, which means any processing operations which took place before you revoked your consent will not become illegal on withdrawal. The controller also does not have to delete your personal data that was processed before you withdrew the consent; they will only be required to delete this data if no other legal basis exists to justify its continued processing.

When can I exercise my right to revoke consent?

You can withdraw your consent at any time.

How can I exercise my right to revoke consent in practice?

The entity collecting or using your data (referred to in the GDPR as the controller) must also inform you that you have the right to withdraw your consent at any time before you give it. At this point in time, the controller must also inform you how you can withdraw it, and the consequences of withdrawing the data, in order for you to make as informed a decision as possible. This information should be easily accessible (e.g. in a privacy policy, on the information box when you gave your consent. If you are giving consent over the phone, this should be read out to you).

You should generally be able to withdraw your consent the same way you gave it. The EDPB Guidelines from May 2020, clarify that you must be able to withdraw your consent free of charge,  without lowering the level of service you are provided with, and without withdrawal being to your detriment. The EDPB is the EU body responsible for the consistent application of the GDPR, and is made up of representatives from each DPA.

The specific steps for withdrawing consent may differ slightly from case to case, as it will depend on how you gave it. Despite this, one rule of thumb applies in every case:

It shall be as easy to withdraw as to give consent. In other words, the way you withdraw consent should mirror the way you gave it, regardless of your situation.

Step 1: Identify where you need to send your declaration of withdrawal

A declaration of withdrawal of consent should be carried out in the same way you gave it; e.g. if you gave your consent via an online form, there should be an easy to find opt-out link on the website of the same company, if you gave it when you downloaded an app, you should be able to withdraw via the app, or if you gave it via the telephone you should be able to withdraw consent via the same number etc.

However, if these options are not available, you can still withdraw your consent by contacting the controller in writing declaring that you are withdrawing your consent.

To do this, you can simply email the company in question stating that you are withdrawing your consent.

The relevant email address can usually be found in the “privacy policy” or “contact us” section of the controller’s website. It will generally have a name like privacy@company.com or legal@publicauthority.eu. If this is difficult to find, or if there is no specific address to which you can send your request, that’s the of the controller, not you - the GDPR requires controllers to make this information easily accessible. Where there is no specific email address, you can use the general contact details of the controller.

Step 2: Drafting your declaration

(This step may not be necessary if you withdraw your consent via an online form on a website or an app, where available)

Specify your name or other identifier used by the controller (e.g. an account username) and that you are seeking to withdraw the consent you gave for the processing

Include the date of your request in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for stopping the processing.

To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address.

Step 3: Controller response

Once the controller receives your declaration, they must stop the processing immediately. Once the consent is withdrawn they are obliged to delete that data, as long as there is no other justification for the continued storage of that data.

You should ideally receive confirmation by the controller that the processing of your data based on consent has been stopped.

Step 4: What should I do if there is a mismatch between how I gave and how I can withdraw my consent?

If you cannot withdraw your consent the same way you gave it, you are entitled to file a complaint with your data protection authority (eg the DPA where you live or work) under Article 77(1) GDPR.

In your complaint, you can specify that the controller has violated Article 7(3) GDPR, which means that they may be subject to penalties from their local DPA such as a fine. Article 83(5)(a) GDPR permits a violation of Article 7(3) by controller to be subject to a fine of up to €20million or 4% total annual worldwide turnover.

Back to Exercise Your Rights