Obtaining and withdrawing consent
Procedures for obtaining and withdrawing consent
It is good to have procedures for obtaining and withdrawing consent, if the company uses consent as a legal basis for processing personal data.
Withdrawal of consent should be as easy as giving consent
It is important not to make it difficult for data subjects to withdraw their consent, as the consent is invalid in such cases. As a general rule, it should be as easy to withdraw consent as to give it under Article 7(3) of the GDPR.
Therefore, it is important to adapt the user interface, so that it is possible and easy to withdraw the consent. For example, by implementing a button that is easy to find to manage the consent on the website, or in a mobile application or similar.
Consent must be actively and freely given
- Active consent: Active consent means that the data subject itself gives it through an active act. For example, by ticking in a consent box. If a consent box is pre-ticked, it constitutes passive consent, which is not valid under the GDPR.
- Voluntary consent: It is not allowed to subject a data subject to influence with the intention of getting the data subject to give consent. In addition, it is prohibited making the data subjects suffer any negative consequences if they refrain from giving consent to a specific processing. Please note that it is also not allowed to include consent as a mandatory part of a contractual term.
The right to withdraw consent is an explicit right under the GDPR
There are eight (8) fundamental rights that data subjects have under the GDPR. However, there are even more rights than that, including the right to withdraw consent under Article 7(3) of the GDPR.
Keep in mind that consent is not always an appropriate legal basis
Consent is not always an appropriate legal basis to support the processing of personal data. It is not usually appropriate where the relationship of power between the parties is unequal, such as between an employer and an employee. The same applies between a public authority and a citizen.
What procedures for obtaining and withdrawing consent may include
Procedure for obtaining consent
Where consent is to be used as a legal basis
Clarify in the procedures which processing should take place on the basis of consent as the legal basis. In addition, it is good to clarify when consent is not appropriate to use.
Information to be provided to data subjects prior to obtaining consent
It is important that the information regarding the processing is provided and is easy to understand for the data subjects. In addition, the information shall be provided separately from any other contractual terms.
Ensure that it is a voluntary and active consent
Pre-ticked consent boxes are prohibited as they do not constitute active consent. The consent must also be given voluntarily, which means, among other things, that it must not be a requirement under contractual terms. If the consent is not freely given and actively given, it is not valid.
How the company should document the consent
Companies must be able to demonstrate that they have obtained a valid consent to a processing. Therefore, it is good to document how and when it has been done. For example, in a CRM system or HR system.
Procedure for handling withdrawal of consent
The channels through which the withdrawal can take place
It is important to clarify the communication channels through which the withdrawal of consent can take place. In this way, there is less chance that the employees who handle these cases miss a withdrawal. Please note that it is not allowed to refuse a withdrawal of consent.
What needs to be done when the withdrawal is received
The company shall immediately cease the processing of the personal data based on the consent, when the data subject withdraws it. In addition, the personal data shall be deleted, unless there is another legal basis for the processing. It is also good to document the withdrawal, in order to demonstrate compliance with GDPR.
Inform the relevant services
Internal communication within a company is important for many reasons. Some departments may need to be informed of a withdrawal of consent and therefore this should be further regulated in the procedures. In addition, some systems may need to be updated in order to respect the withdrawal.
Document the withdrawal
Companies must be able to demonstrate that they comply with GDPR, and therefore it is good to document the handling of receiving withdrawals of given consents. For example, include the date, the processing to which the withdrawal relates, what measures the company has taken to respect the withdrawal, etc.
Does the company have to erase personal data in backup files in case of withdrawal of consent?
Yes, even backup files need to be erased at regular intervals. However, personal data contained in backup files need not be deleted immediately, if they are technically isolated from other data, are not used in the daily work, and are erased according to established intervals. Backup files are often regarded as a temporary necessary storage in the form of an implemented technical security measure, and thus not as continued processing in violation of the GDPR.
Learn more
Procedures for social media management and photography
Many companies use social media in their operations and it is common to process personal data when using them. It can be easy to forget that the company may have a personal data responsibility in accordance with the GDPR, not just the provider operating the platform. For example, it is common for companies to have some form of customer service in their social media and publish images of employees, which are two forms of personal data processing in social media.