6 Matching Annotations
  1. Jul 2020
    1. Other examples of detriment are deception, intimidation, coercion or significant negativeconsequences if a data subject does not consent. The controller should be able to prove that the datasubject had a free or genuine choice about whether to consent and that it was possible to withdrawconsent without detriment.
    2. Controllers have an obligation to delete data that was processed on the basis of consent once thatconsent is withdrawn,assuming that there is no other purpose justifying the continued retention.56Besides this situation, covered in Article 17 (1)(b), an individual data subject may request erasure ofother data concerning him that is processed on another lawful basis, e.g.on the basis of Article6(1)(b).57Controllers are obliged to assess whether continued processing of the data in question isappropriate, even in the absence of an erasure request by the data subject.
    3. Also,mechanisms for data subjects to withdraw their consent easily must be available and informationabout how to withdraw consent must be provided.
  2. May 2020
    1. make it as easy to withdraw consent as to give it. The latter gets particularly interesting when considering that in some contexts, consent may be obtained “through only one mouse-click, swipe or keystroke” and therefore “data subjects must, in practice, be able to withdraw that consent equally as easily” per the WP29.

      It seems, then, that one should be careful to not make it too easy to opt in to something unless you are prepared to accept the liability for making it just as easy to opt out (which may be technically challenging).

    2. it is a question of balance — if one mouse-click was all it took to consent, is it appropriate to require a phone call during business hours to withdraw that consent? Probably not.