Providing mechanism to modify or withdraw consent

If our organization processes personal data based on the consent of the data subject, we must ensure that the conditions for consent are met. The conditions for lawful consent are:

• The controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data
• The request for consent must be clearly separated from other matters in an easily comprehensible form
• The data subject may withdraw her consent at any time and has been instructed to do so before giving her consent
• Withdrawal of consent must be as easy as giving it

The Data Protection Officer may be responsible for assessing the conditions of consent. It is also important to consider, whether consent is generally appropriate as a legal basis for the corresponding processing.

When personal data is processed on the basis of the data subject's consent, the organization should provide data subjects with a clear process for editing or withdrawing their consent. Editing may also mean limiting the processing of personal data, which may affect the controller's right to delete the data in question.

The process should include recording requests for editing in a way similar to recording consent. Changes to consent must be communicated to all relevant data systems, authorized users and third parties. The process should also define the response time in which the requests should be processed.

N.b.! Different jurisdictions may have restrictions on how and when the data subject can modify their consent.