When withdrawal cannot be effectively exercised: rethinking consent validity under the GDPR

Two years ago, an employee consented to the use of her name and photograph in company marketing, including social media, corporate website and printed brochures. The consent was freely given and clearly structured. She later withdrew it. Her data was removed from online channels within 24 hours, but thousands of printed brochures had already been distributed internationally. The employer stopped future use, but the materials already in circulation cannot realistically be retrieved, so her image remains in the public domain.

While much of the discussion on consent focuses on validity and withdrawal mechanisms, a more fundamental issue is often overlooked: whether consent can remain meaningful when withdrawal is structurally constrained by the nature of the processing itself.

Withdrawal as condition for valid consent

The EU General Data Protection Regulation treats consent as a package. Article 4(11) sets the core requirements: freely given, specific, informed, unambiguous. Article 7(3) adds the right to withdraw consent at any time. Withdrawal operates prospectively: the controller must stop processing unless another legal basis already applies. However, as clarified by the European Data Protection Board in Guidelines 05/2020 on consent, controllers cannot obtain consent while intending to switch to a different legal basis after withdrawal, as this would undermine the meaning of the individual's choice.

Easy withdrawal is a necessary element of valid consent. Arguably, this principle is not limited to providing a functional withdrawal channel, but also implies that the processing itself must be capable of being meaningfully stopped. This becomes problematic where the nature of the processing means that substantial part of its effects will continue even after consent is withdrawn. In such cases, the validity of the consent itself may become questionable, as the individual's control over their personal data risks becoming, in the EDPB's words, "illusory."

Not all outputs are equally recoverable

Processing outputs exist on a spectrum of recoverability. Digital content on a controller's own channels can generally be removed, even if this might require time and effort. Once outputs are shared publicly, however, a degree of control is inevitably lost, as the controller cannot know or prevent how material will be further disseminated. 

Article 17(2) therefore requires controllers, where they must erase personal data following withdrawal of consent under Article 17(1)(b), to take "reasonable steps" to inform other controllers processing the data. This reflects a practical limit: personal data may continue to circulate beyond the controller's control, so the obligation is confined to what can realistically be done.

This is, however, different from situations, such as the brochure scenario mentioned earlier, where limited recoverability is not incidental but built into the processing design itself, making effective withdrawal of a substantial part impossible from the outset. 

This raises the uncomfortable question of whether consent can be genuinely valid where the controller knew, from the design stage, that withdrawal would be largely ineffective. If the controller designed the processing, commissioned the print run, and approved the distribution plan, it was already aware that withdrawal could not be fully honored. Yet the data subject is still presented with a formal right to withdraw consent at any time, without being informed that this may have limited or no practical effect on a significant part of the processing already set in motion.

The regulatory gap controllers should not count on

There is, at present, no EDPB guidance or supervisory authority decision directly addressing this upstream question of validity. Controllers relying on consent for activities such as large-scale print campaigns are therefore not, as such, acting in breach of an explicit rule. However, this does not mean the issue is normatively open. Article 17(1)(b) presupposes that withdrawal has real operational consequences for the processing at issue, not merely a prospective effect on future uses. 

Where this assumption does not hold, because a substantial part of the processing cannot realistically be stopped, the withdrawal right risks losing its practical meaning. In functional terms, this creates tension with the requirement that consent be a genuine expression of control, rather than a purely formal entitlement. 

There is also a transparency dimension that reinforces this. The informed consent requirements in Articles 7 and 13 mean the data subject must understand what they are agreeing to. If they are not told that withdrawal will be effective for future digital use but will have no practical impact on physical materials already in circulation, they are not fully informed, and the controller's accountability posture under Article 5(2) is weaker for it.

Upstream design choices and downstream obligations

For privacy professionals advising controllers, the implications run in two directions. 

At the design stage, the first question before using consent for any processing that produces physical or widely distributed outputs should be: can we actually honor withdrawal for this output? If the honest answer is no, or only in limited manner, consent may not be the right legal basis.

Legitimate interest under Article 6(1)(f), for all its complexity, at least does not promise something the controller cannot deliver. The right to object under Article 21 is qualified, not absolute, and is assessed against the controller's compelling grounds. Controllers who choose legitimate interest for printed marketing materials and conduct a proper balancing assessment are, in some respects, being more transparent with data subjects about the actual dynamics of the relationship than those who collect consent they cannot fully honor.

However, where consent is genuinely the right basis and the controller is committed to using it, the consent form and accompanying information should be transparent about what withdrawal can and cannot achieve for different types of output. An employee consenting to appear in printed brochures should be told, clearly and before signing, that withdrawal will stop future use but cannot remove copies already in circulation. 

Transparency does not resolve the structural problem: it does not make irrecoverable processing recoverable, but it at least respects the informed consent requirement and will affect how a supervisory authority views the controller's accountability posture if a withdrawal request later arrives.

When withdrawal does arrive and exposes these limits, the controller's obligations are: act immediately on everything within its control; document what falls outside its control and why; and properly inform the data subject of the limits of what can be executed and the reasons for them.

Conclusion

The GDPR's consent framework is built on the assumption that individuals retain genuine control over their personal data. For that assumption to hold, withdrawal cannot be merely formal. Controllers must consider not only whether withdrawal is easy to request, but whether it can meaningfully be realized in practice. In many contexts, that assessment will influence the choice of legal basis. In all contexts, it affects the integrity of the information provided to individuals at the moment consent is obtained. 

The relevant question is not only what happens when a withdrawal request arrives, but also what was decided long before that moment, when the processing was being designed.