-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Effects of revoking consent and keeping track of tracking #16
Comments
This depends heavily on legal obligations, so I'll stick to GDPR for my comment. If some data is collected and processed based on consent, and that consent has been withdrawn, that data must be deleted - this is an obligation. If that same data is being collected and processed for multiple purposes, and you only withdraw consent for one of those purposes (where the other purpose may have a separate consent or another legal basis such as a contract), the data doesn't have to be deleted, because it is still needed for those other purposes. Long story short, if that data is only being used based on consent, its deletion is an automatic obligation (in most cases). It is the 'data controller' which is responsible for doing this, rather than the processor. |
Sure - but for that, the data controller must be able to link the revocation of consent to the original granting of consent, e.g. through cookies. Does ADPC really ensure that this is the case? |
No, you're right that ADPC doesn't indicate which consent was revoked, and there are discussions in other issues about this. To add to that limitation, ADPC also doesn't indicate what data is utilised for the purpose, entities its being shared with, data transfers, etc. |
If the controller has some means to identify the data subject, such that it is collecting data and adding it to that existing pile of data identifiable to a data subject, then the obligation applies that it must delete that data. If there is no such identifiable means, and the controller is (truly) collecting anonymised data, then the withdrawal of consent will mean prevention of further collection and processing. In practicality, I suspect there is no truly anonymised data, or that when called anonymised, it will just be abuse of re-identifiable data. Signatu has a proposal for including a receipt ID or some token for referring to the consent. So this is the same argument as Issue #6. |
Yeah, such a token is what I had in mind. |
I’ll copy here what I just wrote in #6:
|
I wonder how revoking consent for (or objecting to) any kind of tracking could be implemented such that the data processor will/has to delete information it has so far collected ("pseudonymously").
Naively interpreted, a new request which misses a consent for e.g. "build a personalised ad profile" would just mean that this request may not be added to that "personalised ad profile". But how can a user request deletion of that personalised ad profile?
#13 could be useful here.
The text was updated successfully, but these errors were encountered: