- on this page
- Principles of consent
- Withdrawal of consent
- Other legal basis for processing
- Limiting requests for data
- Unlawful use
Principles of consent
There are three essential aspects regarding your consent:
- it has to be given freely, namely, without any pressure or imbalance of power.
- it has to be specific and unambiguous, indicating those specific purposes and personal data categories which you allow to process
- you have to be informed which data will be used, how and for what purposes
example Your silence or inactivity cannot be considered a consent.
example The processing of personal data of the employees by the employer cannot usually be based on consent: it is likely not freely given because of the imbalance of power.
Your data can be processed for only those concrete, specific purposes and in the concrete, specific manner with which you have agreed
Withdrawal of consent
As consent is given freely, you are also free to withdraw your consent. For example, in situations where you learn or suspect that your data is being used for different purposes than those to which you initially agreed.
Your consent is may be required before an authority or a private individual or entity can start processing your personal data.
example If you want to become a customer of a bank, you agree to give your identity data, including your passport copy, to a bank for the purpose of identifying you and to authenticate your financial activities.
Other legal basis for processing
There are other legal basis for processing your personal data in which case your consent is not required. These can be for example contractual relationship, legitimate interests, legal duties and public interest. You can read more about them in the General Data Protection Regulation.
example If criminal proceedings have been commenced against you, the police and the prosecution will collect information from other institutions and use things like your identity code, address, etc., without requiring your consent to do that.
Limiting requests for data
Unfortunately, private entities and public authorities commonly request data which is not strictly needed for fulfilling their duties and activities. This may have been done on purpose, for example, to collect data about you for marketing or other commercial activities.
There are situations in which you are obliged to provide certain data, or in which you will simply be refused a service if you are not willing to provide it. However, you should generally feel free to be critical and ask that the data be limited or negotiate to provide only the minimum where you believe the request is excessive or possibly against the law.
example It would be an excessive requirement to provide your passport copy, containing your image, citizenship, identity code and passport number – sensitive data not needed for identification in the shopping process, to become a client of a shopping center.
If someone uses your personal data and you have not given your consent to such action, you should ask whether there are other legal basis stipulated in the General Data Protection Regulation. If not, this person is acting in an unlawful manner and you have the right to request to erase your personal data as well as receive compensation.
Applicable as of 25 May 2018
Preamble: Recitals 32-33, 40, 42-43; Articles 4 (11); 6-7; 9-10
Joint publication by the the EU Agency for Fundamental Rights and the Council of Europe