Unfortunately, it is a myth that data controllers must get consent for ALL purposes of processing and this has led to the confusion and distress of a large number of data subjects.

For example, if a data subject no longer wishes to attend a particular doctor, they may wish to have their medical records erased. But, due to the high risk associated with such a proposed course of action, the doctor (data controller) must retain the records in line with their reasonably considered retention policy; however, the doctor can transfer the records to a new doctor at the request of the data subject.

Another example is where the data subject engages with a data controller in order to secure a service. The data controller may have entered into an agreement with a data processor whereby the data processor provides the service directly to the data subject. In that case it is not necessary for the data controller to seek the consent of the data subject to process the personal data in this manner; however, they should be transparent with the data subject and inform them who their personal data is being shared with and for what purpose. The data subject is not required to provide their consent nor can they seek to prevent the data processing, for example, a data controller may hire a debt collection firm to recoup money owed to them by the data subject.