GDPR essentials
Consent & Article 13: prove it, say how long, and make it easy to withdraw
If you rely on consent, you must be able to demonstrate it and inform users about your retention period (or the criteria for it) up front.
Why this matters
When consent is your lawful basis, your processing is only lawful if the consent is valid and you can prove it. You must also inform people how long you’ll keep their data (or the criteria you use to decide).
24 months for recruitment leads, with earlier deletion on withdrawal.
Legal anchors
- EDPB Consent Guidelines: consent must be freely given, specific, informed, unambiguous, and demonstrable. See the official guidance (EDPB).
- GDPR Article 13: tell the data subject the storage period or the criteria used to determine it (Article 13).
- EU Commission explainer: validity, withdrawal, and burden of proof for consent (Commission).
Build these into your consent flow
- Say the retention period (e.g., “We retain your data for 24 months unless you withdraw earlier”) or specify the criteria that determine it.
- Log proof of consent with:
- the exact consent text shown,
- timestamp and method (e-form, checkbox, signature),
- purposes disclosed (and any links to the privacy notice),
- user identifiers and context (e.g., campaign/source).
- Make withdrawal easy (link in every message; one-click where possible) and ensure downstream systems stop processing.
- Keep notices aligned: if your retention criteria change, update the notice and your records.
Consent text — example
Adapt to your purposes and add your controller identity & contact details.
“I consent to the processing of my personal data for [purpose]. I understand this consent is voluntary and I may withdraw it at any time via [link/email]. We will retain your data for [X months/years] (or earlier upon withdrawal), after which it will be deleted or anonymised, unless a longer period is required by law. Learn more in our Privacy Notice.”
Comments
Post a Comment