GDPR consent withdrawal – what it means in practice

Consent is a legal basis under the General Data Protection Regulation (GDPR). Unlike several other bases, however, it can be fully withdrawn by the data subject. This means the data subject may withdraw consent at any time, without giving reasons, and the controller must then cease the processing in question. For controllers, this entails both technical and organisational requirements to manage consent correctly throughout its lifecycle.

Properly managed consent is more than logging a tick in a box. It requires a structured and traceable process that follows the entire consent lifecycle – from collection and storage to any change and withdrawal. Processing must be capable of stopping immediately when consent is withdrawn, whether the processing concerns internal use of the data or sharing with third parties. To meet the principle of lawfulness, the controller must always be able to demonstrate what the data subject consented to – that is, the exact text and information presented at the time, as proof of consent.

Under Article 7(3) GDPR, it must be as easy to withdraw consent as it is to give it. This means the same channels, interfaces or processes used for consent collection – for example, a website, app or customer service – should also be available for consent revocation. Withdrawal must not result in any detriment to the data subject, such as restricted access to a service that does not depend on the processing in question. Organisations must not try to persuade data subjects to retain their consent through hard-to-navigate settings or misleading language.

To comply with the requirements for valid consent, organisations must inform data subjects of the right to withdraw consent when consent is captured and must maintain clear procedures for receiving and executing withdrawals. The privacy notice or consent text should state clearly how withdrawal can be exercised and what the consequences may be for the data subject, for example if certain functionality will cease.

GDPR consent withdrawal in systems and procedures

Withdrawing consent involves more than unticking a box in one of many systems. It requires a complete halt to all processing based on the relevant consent, wherever that processing occurs in the organisation’s systems and processes. This also includes restricting any access that third parties have to the data on the basis of the now-withdrawn consent and may include deleting data if there are no other purposes for which the data are processed.

In practice, this creates a series of technical and organisational challenges. Processing must be mapped, documented and stopped without delay. The organisation therefore needs internal processes that:

• Identify and isolate all systems where processing based on consent takes place.
• Stop any downstream processing and any sharing with external parties.
• Ensure withdrawal can be executed without lag, for example where extensive manual intervention would otherwise be required.

To make this work, organisations need deliberate and structured handling – both technical and organisational – so that withdrawal has a clear, effective impact in practice. The process should be integrated into the organisation’s data protection framework, from system architecture to staff training, to prevent any processing from continuing by mistake after consent has been withdrawn. If challenged, the controller should be ready to show how to withdraw consent GDPR-compliantly and how to prove consent was originally obtained.

Common errors in consent withdrawal – real GDPR scenarios

In practice, consent withdrawal processes often fail due to fragmented systems or unclear accountability. Here are common scenarios – each showing how poor coordination can result in personal data continuing to be processed despite withdrawal.

• Isolated systems: An e-commerce platform allows users to withdraw consent via their account, yet newsletters still go out. Email lists are managed in a separate system with no integration to the platform.
• No traceability of data: The withdrawal is recorded correctly, but personal data remain in other parts of the organisation’s systems. There are no routines to identify where the data reside or how they should be handled.
• Manual handling creates bottlenecks: Withdrawals must be received via customer service and processed manually. This causes delays and, in the worst case, continued processing despite withdrawal.
• Hard-to-find withdrawal function: Information on how to withdraw consent is hidden or written in a way that is not understandable to the user. This breaches Article 7(3) GDPR requirements.

A form for consent revocation is not enough – there must be a process that works in practice. Consent management must be structured, coordinated and technically embedded across the organisation. Otherwise, withdrawal risks becoming a paper exercise with no real effect – leaving the organisation without a legal basis for continued processing, which is a direct breach of GDPR consent requirements.

Risks of inadequate consent management routines

If consent cannot be withdrawn easily, or if processing continues after consent has been withdrawn, the organisation risks breaching GDPR. This can lead to administrative fines, claims for compensation, or loss of trust from data subjects, customers or members.

Implementing robust routines for managing consent is not only a compliance issue but a prerequisite for trust. It creates transparency for data subjects and demonstrates that the organisation takes personal data processing seriously. It also reduces the risk of error and improves readiness to act quickly in audits or complaints. Strong governance over consent collection and proof of consent are central to compliance.

At Morling Consulting, our GDPR lawyers help organisations ensure correct management of consent – from collection to withdrawal. We work closely with clients to build routines that stand up legally, technically and operationally – throughout the consent lifecycle.