GDPR & ePrivacy titbits series: Consent (part 2)

In the last post I mentioned that within any registration forms you should separate the request for consent related to processing of data from the request for consent relating to direct marketing. Here’s why…


Basically the regulation states that the data subject has every right to withdraw their consent at any point in time and that this needs to be achieved in an easy manner and at no extra cost. This applies both for consent to process as well as for consent to send direct marketing material.


Let’s make this more real with a simple example. Let’s imagine that I sign up to a food delivery website (which I’ll be referring to as FDW for simplicity’s sake) and I create a profile with my name, surname and address, those details are required for me to be able to receive my food delivery when I order through the website. The website might also be sending me promotional emails to entice me to order food for delivery more often from restaurants affiliated with it to increase its business.


Let’s say I do not want FDW to process my data any more. To achieve that as a consumer I must be ready to give up their service as without my details FDW would not know who ordered the food and more importantly where to deliver it. The withdrawal of consent for processing is easy. Give the user an option to delete/cancel or de-activate their account and ensure that data is not used any more.



If the user deletes or de-activates their account – trigger the right to be forgotten procedures as part and parcel of the de-activation. Want to know why? Look out for the next post


However let’s say that I’m happy with the service but my inbox is constantly flooded with promotional material and I want to withdraw consent only in relation to direct marketing. In that case I should be able to login to my profile and uncheck the ‘I consent to receiving promotional material’ checkbox.


Should the two requests for consent be one and the same, the withdrawal of consent could become tricky. First and foremost it also presents it’s own compliance issues as marketing is probably not exactly required for the provision of the service itself; and as a data controller/processor you need to make sure that you’re not denying anyone service for not accepting terms which are not required for the provision of the service itself. Secondly it could drive away customers. The option to opt-out of receiving promotional emails whilst still availing of the service is appreciated by the customer who is more likely to remain loyal.


What about important notices then? Let’s say as a business owner I want to announce a change in terms and conditions or any other notice relevant to the service or product I provide. How do I communicate this to those who have not provided consent?


Easy, there are various ways such as notifications and banners on your website, or simply go right ahead and send them an email. Yes you can, as long as that information is pertinent to the service you offer and is not considered marketing.


In any case all consent and withdrawal of such needs to be audited and kept track of. All it takes is one disgruntled customer or an unethical competitor to trigger an investigation into your business and we all need to be prepared to prove that we are GDPR and ePrivacy compliant. It is really easy to lodge a complaint here in Malta you simply navigate to the IDPC website and lo and behold you can lodge a complaint anonymously. No you’re not dreaming, the name, surname and other personal details are not mandatory fields to be able to lodge the complaint.


Complaint form on Malta’s IDPC website.


And on this note, I’ll close this post, hoping that you have realised the great power the data subject has been given and the great 20 million plus threat that our businesses are facing, is not something to be taken lightly.


If you want to be notified when new posts come out, drop us a note via the contact us section of the website and we’ll add you to our mailing list.