processing of personal data. Mere silence, inactivity
or pre-validated forms or boxes should not, therefore,
constitute consent. Consent should cover all processing activities carried out for the same purpose or
purposes (in the case of multiple purposes, consent
should be given for each different purpose). There may
be cases with different consent decisions (e.g. where
the nature of the data is different even if the purpose
is the same – such as health data versus location data:
in such cases the data subject may consent to the
processing of his or her location data but not to the
processing of the health data). The data subject must
be informed of the implications of his or her decision
(what the fact of consenting entails and the extent to
which consent is given). No undue influence or pressure (which can be of an economic or other nature)
whether direct or indirect, may be exercised on the
data subject and consent should not be regarded as
freely given where the data subject has no genuine or
free choice or is unable to refuse or withdraw consent
without prejudice.
43. In the context of scientific research it is often
not possible to fully identify the purpose of personal
data processing for scientific research purposes at the
time of data collection. Therefore, data subjects should
be allowed to give their consent to certain areas of
scientific research in keeping with recognised ethical
standards for scientific research. Data subjects should
have the opportunity to give their consent only to
certain areas of research or parts of research projects
to the extent allowed by the intended purpose.
44. An expression of consent does not waive the
need to respect the basic principles for the protection
of personal data set out in Chapter II of the Convention
and the proportionality of the processing, for instance,
still has to be considered.
45. The data subject has the right to withdraw the
consent he or she gave at any time (which is to be
distinguished from the separate right to object to processing). This will not affect the lawfulness of the data
processing that occurred before the data controller has
received his or her withdrawal of consent but does not
allow continued processing of data, unless justified by
some other legitimate basis laid down by law.
46. The notion of “legitimate basis laid down by
law”, referred to in paragraph 2, encompasses, inter
alia, data processing necessary for the fulfilment of a
contract (or pre-contractual measures at the request
of the data subject) to which the data subject is party;
data processing necessary for the protection of the
vital interests of the data subject or of another person;
data processing necessary for compliance with a legal
obligation to which the controller is subject; and data
processing carried out on the basis of grounds of
public interest or for overriding legitimate interests
of the controller or of a third party.
Page 20 ► Convention 108+
47. Data processing carried out on grounds of public
interest should be provided for by law, inter alia, for
monetary, budgetary and taxation matters, public
health and social security, the prevention, investigation, detection and prosecution of criminal offences
and the execution of criminal penalties, the protection of national security, defence, the prevention,
investigation, detection and prosecution of breaches
of ethics for regulated professions, the enforcement
of civil law claims and the protection of judicial independence and judicial proceedings. Data processing
may serve both a ground of public interest and the
vital interests of the data subject as, for instance, in
the case of data processed for humanitarian purposes
including monitoring a life-threatening epidemic and
its spread or in humanitarian emergencies. The latter
may occur in situations of natural disasters where
processing of personal data of missing persons may
be necessary for a limited time for purposes related to
the emergency context – which is to be evaluated on
a case-by-case basis. It can also occur in situations of
armed conflicts or other violence.9 The processing of
personal data by official authorities for the purpose
of achieving the aims, laid down by constitutional law
or by international public law, of officially recognised
religious associations can also be considered as being
carried out on grounds of public interest.
48. The conditions for legitimate processing are set
out in paragraphs 3 and 4. Personal data should be
processed lawfully, fairly and in a transparent manner. Personal data must also have been collected for
explicit, specified and legitimate purposes, and the
processing of that particular data must serve those
purposes, or at least not be incompatible with them.
The reference to specified “purposes” indicates that
it is not permitted to process data for undefined,
imprecise or vague purposes. What is considered a
legitimate purpose depends on the circumstances
as the objective is to ensure that a balancing of all
rights, freedoms and interests at stake is made in each
instance; the right to the protection of personal data
on the one hand, and the protection of other rights on
the other hand, as, for example, between the interests
of the data subject and the interests of the controller
or of society.
49. The concept of compatible use should not hamper the transparency, legal certainty, predictability or
fairness of the processing. Personal data should not be
further processed in a way that the data subject might
consider unexpected, inappropriate or otherwise
objectionable. In order to ascertain whether a purpose
of further processing is compatible with the purpose for which the personal data is initially collected,
the controller, after having met all the requirements
9.
Where the four Geneva Conventions of 1949, the Additional
Protocols thereto of 1977, and the Statutes of the International
Red Cross and Red Crescent Movement apply.