Morning everyone I'm a BA working on a GDPR project, and frantically trying to get up to speed on the fundamentals of the legislation, to understand its impact on our current business model. I have a question around the area of responsibility when a data subject withdraws a previously-granted consent. Scenario: a customer creates an account with my organisation gives explicit consent during sign-up, for us to share specific personal information with a third-party, so that the third-party may contact them to offer further services. At a later date, the customer then withdraws all consent for us to use their information. Is it my organisation's responsibility to contact the third-party and instruct them to remove the customer's personal information from their systems, or does the customer have to contact the third-party directly and declare the same withdrawal of consent? Similarly, if we have shared, with consent, personal information about one of our customers with a third-party by way of a fixed-format report, if the customer withdraws consent, does that mean that the third-party has to delete any report they hold containing the customer's personal information (or obfuscate it)?