Your right to withdraw your consent (Article 7(3))

right to withdraw consent

What is the right to withdraw your consent?

Under the GDPR, there are six legal bases to process your data. For example, your consent, a contract (e.g. your address is used to deliver goods you ordered), or a legal requirement (e.g. obligation to preserve records under tax laws). Your right to object depends on the legal basis that a company chooses. For example, if your data is processed based on legitimate interest, you cannot withdraw your consent (since no consent was given in the first place), but you can object to the processing (see below under Your right to object).

If you are not sure if the company asked you for consent, you should be able to find the correct legal basis in the privacy policy. If there is no way of finding out, you can exercise your right to withdraw anyways – worst case, it gets denied.

How can I exercise my right to withdraw consent?

  • You can send an informal message to the company or use a template, clearly identifying which consent you withdraw (e.g. “when clicking on the cookie banner”).
  • You may emphasize that the recipients of your data are also prohibited from processing your data and that the company informs the recipients of this fact.
  • By law, it must be as easy to withdraw as to give consent. 

What are the consequences of withdrawing my consent?

  • The company must stop processing your data as soon as you withdraw your consent.
  • The right to withdraw consent is not retroactive, which means any processing operations which took place before you revoked your consent will not become illegal on withdrawal.
  • The company is not allowed to process your data based on consent anymore but might still do so if there is another legal basis in place that justifies continued processing (e.g. a contract you have with the company or legal obligations on their side).
  • Articles 17 to 19 GDPR give you the right to prohibit all recipients from processing data based on consent.
  • If there are no other legal grounds, your data has to be deleted.
  • Withdrawing should not change the level of service that you are provided with.

Typical Problems

  • Companies switch to another legal basis once you withdraw your consent
  • Companies do not respond within the deadline
  • Companies say they are technically unable to implement the withdrawal

Exercising your rights under the GDPR is simple and an informal email is sufficient in most cases. Still, there are some elements to keep in mind. Click here, if you are interested in helpful tips!