Cemre Apaydın
Atorney at Law
Withdrawal Of Consent
1. Introduction
One of the most important elements in the Protection of Personal Data is explicit consent. The concept of explicit consent is defined in personal data protection legislation and is defined in the European Data Protection Regulation1 ("GDPR") as follows:
"consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"2
Personal Data Protection Law3 in Turkey ("KVKK") under Article 3 defines explicit consent is defined as follows:
"Explicit Consent: Freely given specific and informed consent"
The elements of consent are similar in both laws. One of the factors required for explicit consent is the withdrawal of consent, one of the conditions of validity. To be able to talk about the validity of an explicit consent, it is important to be withdrawn in the same way. The withdrawal of explicit consent is not regulated in KVKK, but it has a wide range of applications in GDPR. Under GDPR article 7, withdrawal of explicit consent is regulated.
In the WP294 opinions of the provisions and recitals in the GDPR, this means coding this situation according to the current interpretation.5 In accordance with the explicit consent guide published by European Data Protection Board ("EDBP")6, comments were brought on the basis that the open consent issued with GDPR has harsh sanctions by the EU7.
The Controller should allow the given consent to be withdrawn. The most important point here is that data subject concerned can withdraw her/his consent at any time and in the same way as the ease of consent she/he gives. It is important that the controller provides this convenience. So much so that the person concerned must be withdrawing her/his consent, in the same way as she/he has given approval. A system providing all of them must have been installed by the controller.
Another important point is that the data subject should be able to withdraw without detriment. The explicit consent and withdrawal by the controller should not turn into an imposition. For example; If the data subject has given explicit consent to process the location information to use a photo mobile application, but later fails to take advantage of the features of the photo application when she/he wishes to withdraw this consent, it will not be possible to mention a proper explicit consent and the possibility of withdrawing explicit consent. If the data subject gives consent by pressing only one button while using the application, she/he should be able to withdraw her/his consent by pressing a single button. The controller should not make it difficult for the data subject concerned to withdraw her/his consent.
Likewise, if the data subject gives explicit consent regarding the processing of data for the service she / he will receive, if it is not subject to any time limitation, it should not be kept while taking his consent. In accordance with the example given in the guide published by the EDPB8 a company selling tickets online for the music festival is available 24/7, and data is processed with 24/7 online clicks. However, it is stated that the subject data can only obtain the explicit consent has given during business hours during the week and only by calling the box office. Here, a clearly unlawful practice can be seen. How, when and in what way the controller takes explicit consent should be withdrawn. Otherwise, it will not be possible to speak of a proper consent.
It is also important to look at the withdrawal methods to talk about the validity of explicit consent. Because if the withdrawal of consent as in the examples puts data subject in trouble, then the validity of the consent at first cannot be mentioned. In the information element for consent in the GDPR definitions, the controller should first explain the right to withdraw to the data subject when clarification of personal data. Hereby, GDPR and EDPB both aim to maintain transparency.
The GDPR guidance on consent withdrawn by the Information Commissioner's Office ("ICO")9 and the legal basis for the transaction were examined. The controller should be clear and plain while obtaining consent from the data subject concerned, should state that withdraw the consent, use a clear language, if the data subject receives the consent electronically or on digital platform, ensure that the boxes do not appear marked, should provide opt-out option in the e-mails, the immediate destruction of the data of the data subject who withdraws consent and the data subject concerned who finally withdraw their consent should not be punished by the controller.10
The consent of the data subject concerned should be a positive action. The fact that the data subject is silent, continues with the pre-checked box or stays still indicates that there is no consent. For this reason, there will be no withdrawal of a consent here.
The aim of the GDPR and related legislation is to give explicit consent through the will of the data subject and by a real illumination by the controller. The data subject concerned should always be able to withdraw explicit consent without any sanction and in the same way that given consent.
For the validity of an explicit consent, apart from the elements in the legislation, it is necessary to check whether the consent is permitted to be withdrawn as mentioned above. Otherwise, it is not possible to talk about a lawful explicit consent. It is important to be reminded that it is not possible to mention the withdrawal of an explicit consent in these matters, since there is no explicit consent for personal data that can be processed by law. In cases where only explicit consent is required, the institution of withdrawing explicit consent will come into play.
Footnotes
1. EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
2. GDPR article 4/11 def. Of consent
3. Law on the Protection of Personal Data No. 6698 dated 24/03/2016
4. Working Party, the old name of EDBP
5. EDPB Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0 Adopted on 4 May 2020
6. On 25 May 2018, the EDPB replaced the Article 29 Working Party.
7. European Union
8. EDPB Guidelines on consent parag. 115
9. The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.