How to deal with GDPR in case of withdrawal of consent
What can be done if consent to the processing of personal data has been withdrawn? Is it necessary to delete all data?
How to deal with a situation where erasure cannot be carried out without losing other personal data? One thing is for sure - there is no need to panic, we have a solution for you :-).
It is not always necessary to delete personal data when consent is withdrawn. This is especially the case when the personal data is processed for several purposes at the same time. If it is, for example, a purchase contract, then we may process the customer's name at one time for the purpose of fulfilling the obligation under the purchase contract, for offering goods and services, but also for the enforcement of any claims. Even if the customer decides that they no longer wish to receive any further offers of goods and services, it is of course their right to withdraw this consent, but you can still store their name and surname until all other processing purposes have ceased.
But to be fair to both parties, remember that the moment there is really no longer any need for the processing purpose, you must destroy the personal data. Although even here, erasure could be debated. It is not your obligation to delete the data completely, but you must ensure that it is anonymised. In practice, you cannot then associate this data with specific customers, but you can, for example, use it for internal trend analysis.
And because GDPR is a very tricky area, there are situations where you will find yourself puzzling and asking repeatedly: What now? Imagine you have personal data recorded on a non-rewritable medium such as magnetic tape. They have recorded data that should be erased, but along with the data, there is also data on the tape that should not be erased. It is a rather deadlocked situation. If you delete one piece of personal data, you also lose the data that needs to be retained. Don't worry, there is a solution to this too. You should still keep the data passively stored, but it is imperative that it is not used by the controller, but also that you ensure its technical protection. When it is no longer necessary to keep the data, then be prepared to delete it.
Do you have experience of withdrawing consent to the processing of personal data? Are you unsure whether it is compliant with the GDPR to continue to retain this data? Contact us, we have specialists on our team who can advise you.