In respect of the data subject enforcing their rights, it should first be noted that withdrawing consent, i.e. removing the controller's right to use your data, is not the same as the right of erasure. Consent is specific and unambiguous and is given for a particular activity.
For example, many of us will use an online web form to download a document. If there is a check box to receive marketing material from the site, and we tick the box, we will receive the marketing materials.
If we later withdraw the marketing consent, will our information be erased as well?
Does the original consent we gave cover both the receipt of marketing materials AND the processing of our information, or are they two different things?
Firstly, to download a document from a web page, there should be no need to provide personal data, and the website should be specific as to why it needs such personal data and what use will be made of it. It would also require consent to do this or have another lawful basis. Thus, if the only purpose is for the website to send marketing data (and ordinarily, only an email address should be required), then removal of the consent would require deletion of the data. It is wise for explicit and implicit consents to be kept apart.
Within the Article 13 privacy notice, there should be an explanation as to how long the data retention period will be. This should be no longer than necessary.
Here are two useful examples:
Example 1: Yesterday I provided my details for a telecommunications provider to send out their monthly newsletter about their new products. This is based on my consent and this is the ONLY processing the telecoms company may do on my behalf.
Today I have withdrawn consent for THIS process. The telecoms company has no legal basis for holding my data. The only reason they had it in the first place was for that single process. At this point, they should now delete my data.
Example 2: I have a contract with the telecommunications provider and they hold my email, telephone and work address to speak to me about our contract. This is on a contractual and/or legitimate interest basis.
I go on to the telecoms provider's website and sign up for its weekly newsletter. I provide my consent as the basis for this process.
Today, again, I have changed my mind, so I contact the telecoms provider to withdraw my consent. They carry out this request and stop sending marketing materials. However, they will retain all my data for other purposes. Ergo, they will not delete, forget or erase me.
If consent is the only basis for processing, then the enactment of withdrawing my consent will look the same as a request for deletion. If you have the same data under another basis for processing, then it will not impact the data you hold on me.
Generally, consent should be the last resort because as soon as an individual revokes consent, the processing must stop.
Contact our Data Protection and GDPR Lawyers Liverpool, Wirral, Merseyside and Across England & Wales
It is important that you have consent to process personal data otherwise you could face penalties. Our team provide clear, straightforward and up to date guidance on all aspects of data protection and GDPR to ensure your business is compliant. For a free initial consultation, contact our specialist team on 0151 659 1070 or complete our online enquiry form.