Individuals have the Right to object to data processing based on legitimate interest or direct marketing. The ICO says the Agency (Data Controller) must stop processing the data unless they can “demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.”
…Individuals can withdraw consent at any time”
For these circumstances, Adapt has a workflow called Record Objection/Consent Withdrawal which allow users to record objections or withdraw consent, and what their outcome is.
Use the Record Objection/Consent Withdrawal workflow from the GDPR shortcut icon or Compliance page on a person record:
- Record the date of the objection
- Record the GDPR Rights Expressed, whether Objection or Consent Withdrawal
- Record the reason the Individual objects or has withdrawn consent
- Record the Agency’s decision on what to do
The user then chooses whether to continue, or stop processing the individual’s data based on this decision:
1.Continue processing?- This will create 2 journal records, one showing the Individual objection and reason and the other the Agency decision to continue processing.
2.Stop Processing? – A message will be displayed to the user "Do you want to delete this record?". Choose ‘Yes’ or ‘No’.
If the user selects Yes:
- The record will be added to the queue for deletion. The record will then follow the process to Remove from Database (see the Right to Erasure section).
- The record will be set to RESTRICTED mode.
- The consent flag will be set to ‘No’ and the ‘Consent Expired’ field updated with the date selected.
- 2 records will be created in the journal, one showing the Individual request for data processing to be stopped and the other the agency decision to stop processing the data.
If the user selects No:
- The workflow will close, and the Agency will continue to process the data.
- 2 records will be created in the journal, one showing the Individual objection and reason and the other the agency decision to continue processing.
- If the GDPR Right Expressed was Objection, a high priority task is created to "Follow up objection to data processing" with a start date of today and a reminder date for a week later. Task notes will state "This person objected to data processing, is deletion of this record required?"
- If the GDPR Right Expressed was Consent Withdrawal, a high priority task is created to "Follow up consent withdrawal for data processing" with a start date of today and a reminder date for one week later. Task notes will state "This person withdrew consent to data processing, is deletion of this record required?"