Exercising your GDPR Rights – your right to withdraw your consent – Article 7(3)
Like a 6am aerobics class that you regret signing up for, it’s important to be able to change your mind and withdraw from a class or activity you agreed on doing. The GDPR does the same for you regarding your data and this is where Article 7(3) comes in.
Your Right to Withdraw Your Consent
Like an exercise class that seemed like a good idea at the time, it’s important to be able to change your mind and withdraw from certain things you sign up for. The GDPR ensures that the same is possible when you give your consent to have your data processed; under Article 7(3) GDPR, you have the right to withdraw your consent for processing your data at any time. Before the GDPR, a right to withdraw consent did not explicitly feature in EU law; its inclusion in the GDPR is an important clarification of the body of data protection rights available to people in the EEA.
However, most of the advice on withdrawing consent that is currently available focuses on telling companies and organisations how they should structure their business practices. In comparison, there is almost no guidance out there that helps direct individuals in how they can go about asserting the right to withdraw consent. This is where the moves below come in – read on to find out how you can exercise your right to withdraw your consent …
What does consent look like under the GDPR? What is the role of consent in the GDPR ?
Under the GDPR, consent is only one of six bases that a company, organisation or other entity must use in order to legally process your data. Consent must be a “freely given, specific, informed and unambiguous indication” via a statement or clear affirmative action, that you agree to the processing of your data.
In which case can I withdraw my consent?
Your right to revoke you consent is only applicable when the processing of your data is based on consent. When the processing is based on it being necessary to perform a contract (e.g. your address for the delivery of goods), or to meet a legal requirement (e.g. communication by your employer of your social security data for processing income tax), this right of withdrawal does not apply.
What are the consequences of withdrawing my consent?
The controller must stop the processing of your data and (delete them) as soon as you withdraw your consent. The right to withdraw consent is not retroactive, which means any processing operations which took place before you revoked your consent will not become illegal on withdrawal. The controller also does not have to delete your personal data that was processed before you withdrew the consent; they will only be required to delete this data if no other legal basis exists to justify its continued processing.
When can I exercise my right to revoke consent?
You can withdraw your consent at any time.
How can I exercise my right to revoke consent in practice?
You should generally be able to withdraw your consent the same way you gave it. The EDPB Guidelines from May 2020, clarify that you must be able to withdraw your consent free of charge, without lowering the level of service you are provided with, and without withdrawal being to your detriment. The EDPB is the EU body responsible for the consistent application of the GDPR, and is made up of representatives from each DPA.
The specific steps for withdrawing consent may differ slightly from case to case, as it will depend on how you gave it. Despite this, one rule of thumb applies in every case:
It shall be as easy to withdraw as to give consent. In other words, the way you withdraw consent should mirror the way you gave it, regardless of your situation.
A declaration of withdrawal of consent should be carried out in the same way you gave it; e.g. if you gave your consent via an online form, there should be an easy to find opt-out link on the website of the same company, if you gave it when you downloaded an app, you should be able to withdraw via the app, or if you gave it via the telephone you should be able to withdraw consent via the same number etc.
However, if these options are not available, you can still withdraw your consent by contacting the controller in writing declaring that you are withdrawing your consent.
To do this, you can simply email the company in question stating that you are withdrawing your consent.
(This step may not be necessary if you withdraw your consent via an online form on a website or an app, where available)
Specify your name or other identifier used by the controller (e.g. an account username) and that you are seeking to withdraw the consent you gave for the processing
Include the date of your request in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for stopping the processing.
To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address.
Once the controller receives your declaration, they must stop the processing immediately. Once the consent is withdrawn they are obliged to delete that data, as long as there is no other justification for the continued storage of that data.
You should ideally receive confirmation by the controller that the processing of your data based on consent has been stopped.
Step 4: What should I do if there is a mismatch between how I gave and how I can withdraw my consent?
If you cannot withdraw your consent the same way you gave it, you are entitled to file a complaint with your data protection authority (eg the DPA where you live or work) under Article 77(1) GDPR.
In your complaint, you can specify that the controller has violated Article 7(3) GDPR, which means that they may be subject to penalties from their local DPA such as a fine. Article 83(5)(a) GDPR permits a violation of Article 7(3) by controller to be subject to a fine of up to €20million or 4% total annual worldwide turnover.