Validity period of consent

Regulatory acts merely provide that personal data collected based on consent may be stored until the data subject withdraws consent as mentioned in Article 7(3) of GDPR, and only for as long as the purpose for which consent was originally requested remains relevant, in accordance with Article 5(b). Consequently, the controller must determine the period during which the consent will remain relevant and when the associated processing purpose will be fulfilled. 

Firstly, personal data must not be stored longer than is necessary to achieve the purpose for which it was collected based on principle of purpose limitation. Certain purposes, such as the distribution of newsletters, may have an ongoing character. In such cases, consent may be retained for an indefinite period, provided that the controller does periodic reviews at a set interval. For example, a company that sends quarterly product updates may retain a customer’s consent on a long-term basis but still should periodically (for example, every 12 - 18 months) request confirmation that the customer still wishes to receive such communications. 

Such approach was provided by the Latvian Data State Inspectorate as recommendation which aligns with best practices for consent management under GDPR. The Latvian Data State Inspectorate emphasizes that consent should not be treated as indefinite, even if initially given for a long-term purpose. Thus, periodic reconfirmation – such as every 12 to 18 months – helps ensure that i) consent remains valid and informed, as customers may change preferences over time, ii) transparency and trust are maintained, as regular checks demonstrate respect for user autonomy, as well as iii) compliance risk is reduced, as it mitigates challenges if consent is later disputed. Therefore, organizations must be able to demonstrate that the chosen review interval is reasonable and proportionate. The personal data can be kept for longer periods of time if it is kept for archiving purposes of public interest or for reasons of scientific or historical research. Depending on the type of personal data collected review interval has to be closely evaluated, especially if the collected personal data is sensitive in nature, evaluations should be done more frequently. 

Secondly, personal data should not be stored after withdrawal of consent, and the process of withdrawal must be made as simple and transparent as the process of granting consent was. For example, if the company provides an option to unsubscribe from newsletters and other marketing news and the customer chooses to withdraw their consent, the controller must erase all related personal data without undue delay and ensure that no further communications are issued. 

Additionally, the controller must as part of the transparency obligation inform the data subjects on how to exercise their rights. With respect to scientific research, withdrawal of consent may impede research activities that rely on sensitive or potentially identifiable personal data however, under the GDPR withdrawal of consent requires that controllers must act upon it immediately and erase all personal data, as such there is no exemption to this requirement even for purposes of scientific research.

Overall, the GDPR does not establish a specific duration for which consent remains valid. Instead, under the general principles of the GDPR, personal data must be retained for the shortest period necessary, with the retention period determined considering the processing purpose, applicable erasure obligations, and the need for periodic review of both stored personal data and the data subject’s consent. It therefore means that organizations should implement suitable technical solutions to monitor consent validity and manage its periodic renewal.​