Two years ago, an employee agreed to let her employer use her name and photograph in company marketing — social media, the corporate website, printed brochures. The consent was properly structured. She later changed her mind and withdrew it. Her image disappeared from every digital channel within 24 hours. But thousands of printed brochures had already been shipped internationally. The employer stopped all future use, but the materials already in circulation can’t realistically be recalled. Her photograph remains in the public domain, indefinitely, despite a formally valid withdrawalxx request. This scenario isn’t a compliance failure in the traditional sense. No rule was obviously broken. But it exposes something that most GDPR consent discussions quietly sidestep: what happens when withdrawal — the right the entire consent framework is built around — can’t actually be carried out?
The GDPR’s Consent Bargain
The GDPR treats consent as a package deal. Article 4(11) sets the foundational requirements: freely given, specific, informed, unambiguous. Article 7(3) completes the picture by giving individuals the right to withdraw at any time. Withdrawal operates prospectively — once exercised, the controller must stop processing unless another legal basis already applies. The European Data Protection Board made clear in its Guidelines 05/2020 on consent that controllers cannot collect consent while quietly planning to switch to a different legal basis after withdrawal. That kind of maneuvering, the EDPB said, would make the individual’s choice “illusory.” Easy withdrawal isn’t just a procedural nicety — it’s a condition of valid consent. But most interpretations stop there, at the mechanics of the withdrawal channel itself. The deeper question is whether the processing was ever designed to allow withdrawal to mean anything.
When Withdrawal Is Structurally Impossible
Not all processing outputs are equally recoverable, and the GDPR quietly acknowledges this. Article 17(2) requires controllers, when they must erase personal data following a withdrawal, to take “reasonable steps” to inform other controllers who may be processing that data. The qualifier is deliberate: the law recognizes that personal data can circulate beyond a controller’s reach, and it confines the obligation to what can realistically be done. That’s a sensible accommodation for incidental loss of control — data that spreads in ways the controller didn’t anticipate or design. But the brochure scenario is categorically different. The limited recoverability isn’t incidental. It’s built into the design of the processing itself. The controller commissioned the print run. The controller approved the distribution plan. The controller knew, before a single brochure left the warehouse, that withdrawal of consent for those materials would be largely meaningless in practice. And yet the employee was presented with a formal right to withdraw at any time — without being told that this right would have no practical effect on the materials already in motion. That gap is where consent starts to become something other than genuine control.
The Validity Question No One Is Asking
Here is the uncomfortable question that follows: if a controller designs processing knowing that withdrawal cannot meaningfully be honored, can the consent collected for that processing be genuinely valid? Article 7(3) doesn’t just require a withdrawal mechanism to exist. It requires that withdrawal be as easy as giving consent — which implies that the act of withdrawal must be capable of producing real consequences for the processing. Where it cannot, the right to withdraw risks becoming, in the EDPB’s own language, “illusory.” There is currently no EDPB guidance or supervisory authority decision that directly addresses this upstream validity question. Controllers running large-scale print campaigns on a consent basis are not, as things stand, in breach of an explicit rule. But the absence of guidance does not mean the issue is normatively settled. It means it hasn’t been tested yet. When it is tested — and these questions tend to surface through complaints and enforcement decisions rather than proactive guidance — controllers who relied on the regulatory gap will find it was never the protection they assumed.
The Transparency Problem That Compounds Everything
Layered on top of the validity question is a transparency failure that controllers can address right now, regardless of how the validity debate resolves. Articles 7 and 13 require that consent be informed. The data subject must understand what they are agreeing to. If an employee consenting to appear in printed marketing materials is not told that withdrawal will stop future digital use but will have no practical impact on physical copies already in circulation, they are not fully informed. Full stop. The controller’s accountability posture under Article 5(2) — the accountability principle — weakens significantly when the information provided at the point of consent didn’t reflect the actual dynamics of what was being agreed to. Supervisory authorities reviewing a withdrawal complaint will look not just at what the controller did after withdrawal, but at what the individual was told before consent was given.
A Better Legal Basis for Irrecoverable Processing
For privacy professionals advising controllers, the practical implication runs earlier in the process than most compliance programs reach: at the design stage, before consent is collected. The first question for any processing that produces physical or widely distributed outputs should be straightforward: can we actually honor withdrawal for this output? Not in theory — in practice, given the volumes, timelines, and distribution channels involved. If the honest answer is no, or only partially, consent may not be the right legal basis. Legitimate interest under Article 6(1)(f) is worth reconsidering in these contexts. It carries its own complexity — a genuine balancing assessment is required, and the right to object under Article 21 applies. But legitimate interest doesn’t promise something the controller cannot deliver. The right to object is qualified, not absolute. Controllers who use legitimate interest for printed marketing materials and conduct a proper balancing assessment are, in some respects, being more transparent with data subjects about the actual dynamics of the relationship than those who collect consent they know they cannot fully honor. That reframing is uncomfortable for many compliance teams, because consent feels safer and cleaner. But consent that cannot be meaningfully withdrawn is not a clean legal basis — it’s a deferred liability.
When Consent Is Still the Right Basis
There are contexts where consent remains appropriate even for processing with limited recoverability — but they require more from the consent form than most controllers currently provide. Where consent is genuinely the right basis and the controller is committed to using it, the information provided at the point of consent must be transparent about what withdrawal can and cannot achieve for different types of output. An employee consenting to appear in printed brochures should be told, clearly and before signing, that withdrawal will stop all future use but cannot remove copies already in distribution. Transparency doesn’t solve the structural problem — it doesn’t make irrecoverable processing recoverable. But it satisfies the informed consent requirement and, critically, it changes how a supervisory authority will view the controller’s accountability posture if a withdrawal complaint later arrives. The difference between a controller who disclosed the limits upfront and one who didn’t is significant in any enforcement assessment.
When Withdrawal Arrives and Exposes the Limits
When a withdrawal request arrives for processing of this kind, the controller’s obligations are clear even if the outcomes are constrained:
- Act immediately on everything within the controller’s control — digital channels, internal databases, future use
- Document what falls outside the controller’s control, specifically and with reasons
- Inform the data subject transparently about the limits of what can be executed and why
What controllers cannot do is treat the irrecoverable portion as simply outside the scope of their obligations. The fact that physical materials cannot be recalled doesn’t mean the controller has no duty to account for them — it means the accounting looks different, and the data subject deserves an honest explanation of what their withdrawal accomplished and what it could not.
The Design Question That Comes Before Everything Else
The GDPR’s consent framework rests on a foundational assumption: that individuals retain genuine control over their personal data when they consent to its use. For that assumption to hold, withdrawal cannot be merely formal. It must be capable of producing real operational consequences for the processing at issue. Where the design of the processing makes that impossible — not incidentally, but structurally — controllers face a question that no withdrawal mechanism can resolve after the fact. The question had to be answered at the design stage, before the print run was commissioned, before the consent form was drafted. The most important compliance decision in these scenarios isn’t what to do when the withdrawal request arrives. It’s what was decided long before that moment, when the processing was being designed and the choice of legal basis was still open. Consent that cannot be meaningfully withdrawn is not consent in any sense the GDPR recognizes. The sooner controllers build that principle into upstream design decisions, the less exposed they will be when the regulatory guidance catches up.
