The system must enable its users to revoke whatever consent they have granted.
Systems usually request information from their users or collect it based on their interactions with the application. Regulations demand that none of these collections occur without the user’s consent and that this consent be demonstrable afterwards. Regulations also demand that users be allowed to revoke, at any given time, whatever consent they may have granted regarding the collection and processing of their information.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 6: Traffic data.(3) Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.
GDPR. Art. 7: Conditions for consent.(3). The data subject shall have the right to withdraw his or her consent at any time.
GDPR. Art. 18: Right to restriction of processing.(1). The data subject shall have the right to obtain from the controller restriction of processing.
GDPR. Art. 21: Right to object.(1). The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.
ISO 27001:2013. Annex A - 18.1.4 When applicable, guarantee the privacy and security of personal information, as required by the relevant legislation and regulations.