Rights to withdraw consent, object and lodge a complaint with a supervisory authority under the GDPR and D-DPA
As regular readers of this newsletter know, we aim to provide a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the new Swiss Draft Data Protection Act (D-DPA), a draft revision of which is still subject to debate, and which is expected to partly enter into force later this year.
In our previous article, we discussed the rights to rectification, erasure and restriction. This article focuses on data subjects’ rights to withdraw consent, object and lodge a complaint with a supervisory authority.
Right to withdraw consent under the GDPR and D-DPA
As explained previously, the GDPR has specific requirements regarding consent and the way in which it must be given. In addition, the GDPR requires that – before giving consent – data subjects must be informed that they may withdraw their consent at any time.
Under the GDPR, it must be as easy to withdraw consent as it is to give consent. For instance, if a data subject gives their consent to the processing of their personal data by ticking a box on a website, it shall be just as easy to withdraw consent through the same website.
If consent is withdrawn – and the controller/processor cannot rely on any other legal basis to process the data – the processing must stop. However, the withdrawal does not affect the lawfulness of past processing that was carried out with consent.
The DPA does not cover consent withdrawal. There is, in particular, no obligation to inform data subjects that their consent may be revoked. That being said, it is generally accepted that data subjects may revoke their consent at any time.
In addition, as under the GDPR, withdrawal would not affect the lawfulness of past processing.
Right to object under the GDPR and D-DPA
Under the GDPR, data subjects may object when the processing of their data is:
- Done for direct marketing purposes, which means marketing targeting directly the individual, for instance by using e-mails, postal services or telephone.
- Based on the legitimate interests of the data controller or a third party.
- Based on the performance of a task in the public interest or in the exercise of official authority.
- Made for the purpose of scientific/historical research, or statistical purposes.
The right to object to direct marketing activities is absolute. The controller and processor cannot challenge the data subject’s objection and have to stop the processing immediately.
The right to object to the other types of processing is not absolute. In the case of processing based on legitimate interests or the performance of a public interest task/exercise of official authority, the processing may continue if the controller has legitimate grounds for the processing that override the interests, rights and freedoms of data subjects, or if the processing is necessary for the establishment, exercise or defence of legal claims.
In the case of processing for research or statistical purposes, the processing may continue if it is necessary for the performance of a task carried out in the public interest.
The D-DPA does not explicitly provide for a right to object. However, the DPA states that there is a privacy breach in cases where data is processed against the data subject’s explicit will. Therefore, there is a privacy breach every time data is processed, if the data subject has expressly objected to the processing. Such privacy breaches are unlawful, unless they are justified by an overriding private or public interest, or by law.
Right to lodge a complaint with a supervisory authority under the GDPR and D-DPA
The GDPR says that data subjects can lodge a complaint with a supervisory authority if they believe that the processing of their data infringes the GDPR.
The complaint must be lodged with the supervisory authority of the EU member state where the data subject has their habitual residence or place of work, or of the member state where the alleged infringement occurred.
In the event that a supervisory authority does not inform a data subject about the progress or outcome of their complaint within three months, or partially or wholly rejects or dismisses the complaint, the data subject shall have the right to an effective judicial remedy.
The same right to lodge a complaint with the Swiss supervisory authority (the Federal commissioner) exists under the D-DPA. However, the Federal commissioner may abstain from opening an enquiry if an infringement is not significant.
Comply with the highest standards
The safest approach for controllers is to comply with the highest standards of both the GDPR and the D-DPA.
Therefore, organisations should:
- Set up internal procedures and protocols for handling consent withdrawals and objections from data subjects, which comply with both the GDPR and the D-DPA. Such protocols should also include procedures for verifying a data subject’s identity.
- Ensure that – every time processing is based on consent – data subjects can withdraw their consent as easily as they gave it.
As the GDPR will be applicable next May 25, it is time to actively prepare for it.
To help you in this compliance exercise, we will delve deeper into each of the essential GDPR topics in a series of articles that we will publish over the next weeks. To remain up to date, subscribe to our newsletter with the button below.
JoanneZaaijerAttorney at law Associate
Joanne Zaaijer, attorney at law, is an associate in our Rotterdam office. She focusses on data protection and privacy law, telecommunications, life sciences, advertising and e-commerce.T: +31 (0)10 224 6164 M: +31 6 53 57 74 21 E: Joanne.Zaaijer@loyensloeff.com