9

I have been reading alot about user consent management according to the GDPR and one problem I can't see solved anywhere is managing withdrawn consent.

The user gives his consent to use his data and save personal information like his E-Mail address, IP address, ...

If the user withdraws his consent I would have to somehow store this decission in my database to make sure I always have proof of a prior consent and at which date the user has withdrawn his consent. But how do I keep track of a withdrawn consent if I can't save any personal information to identify this person anymore. Isn't this a contradiction? Always having the ability to prove everything but being forced to delete all saved data records?

Is there any part of the GDPR I am missing, that solves this specific problem?

jvecsei
  • 193
  • 4

3 Answers3

7

This could be covered by point 1(c) of Article 6:

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:

...

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

...

It might also fall under point 1(f):

...

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

It is difficult to know whether any particular processing of data falls under either of these points because of the lack of relevant court decisions.

The latter is particularly slippery, since whether any interest is "legitimate" is at least partly subjective, and whether any interest of the data processor overrides the data subject's interests, rights, or freedoms, is even more so.

I should also note that point 1(a) is the point that requires user consent, so the other points explicitly take the place of consent rather than being somehow required alongside consent:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Community
  • 1
phoog
  • 42,299
  • 5
  • 91
  • 143
2

We've been struggling with a similar issue. For us, we will need to store the ID of the user, so we can delete them from backups if we need to restore them.

So delete the user's data (everywhere), keep a reference of the ID of the deleted user (or deleted data if you're not referencing via foreign keys in a database) for when any future restores happen so you can re-run those deletes.

That is, of course, specifically around the "Forget Me" feature (article 17), and not around restriction of processing, etc.

BenFreke
  • 121
  • 1
0

You don’t have to delete the records - just anonymize them.

Users are stored with an ID number. When user 45632 revokes consent simply delete all personal information (name, email, IP address etc) associated with them. You can keep user 45632 in the system because there is no personal data associated with them.

Dale M
  • 237,717
  • 18
  • 273
  • 546