Guide to Data Protection in the European Union
English http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
Spanish http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-spain_es.pdf
Wednesday, August 3, 2011
2011-07-14-Press Release Regarding The Data Protection Act
Press Release --- Communiqué de presse -- Mitteilung für die Presse
Brussels, 14 July 2011
European data protection authorities clarify the notion of consent
Consent of the data subject has always been a key notion in data protection, but it is not always clear when consent is needed, and what requirements have to be fulfilled for consent to be valid. The importance of consent is evident as the processing of personal data has become a prominent feature of modern society,
both in the online and offline world. Therefore, the European data protection authorities, assembled in the Article 29 Working Party, have adopted an opinion (WP187) in which they assess the definition of consent in the current framework and give several recommendations for the future.
Consent is one of the grounds that can legitimise the processing of personal data. In the opinion, the European data protection authorities clarify the notion of consent and provide recommendations with regard to the revision of the general data protection legal framework.
According to the European data protection authorities, consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. Therefore only statements or actions, not mere silence or inaction, can constitute valid consent.
For example, when a data subject registers with a social network and the default settings of his or her profile make all personal information viewable to all “friends of friends”, it cannot be inferred that this user has given his or her consent.
Consent must be given prior to the start of processing activities or before any new use of the data. The European data protection authorities also stress that the right to withdraw one’s consent should be guaranteed. In addition, to be able to make informed choices, data subjects need to be informed about the data processing and good quality and accessibility of the information is paramount to this. Naturally, in
this regard, specific attention must be paid to individuals lacking legal capacity, such as minors. Finally, data controllers should be able to demonstrate that they have obtained valid consent.
Link to Opinion WP187 -- Go to Links Box
Brussels, 14 July 2011
ARTICLE 29 DATA PROTECTION WORKING PARTY
Consent of the data subject has always been a key notion in data protection, but it is not always clear when consent is needed, and what requirements have to be fulfilled for consent to be valid. The importance of consent is evident as the processing of personal data has become a prominent feature of modern society,
both in the online and offline world. Therefore, the European data protection authorities, assembled in the Article 29 Working Party, have adopted an opinion (WP187) in which they assess the definition of consent in the current framework and give several recommendations for the future.
Consent is one of the grounds that can legitimise the processing of personal data. In the opinion, the European data protection authorities clarify the notion of consent and provide recommendations with regard to the revision of the general data protection legal framework.
According to the European data protection authorities, consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. Therefore only statements or actions, not mere silence or inaction, can constitute valid consent.
For example, when a data subject registers with a social network and the default settings of his or her profile make all personal information viewable to all “friends of friends”, it cannot be inferred that this user has given his or her consent.
Consent must be given prior to the start of processing activities or before any new use of the data. The European data protection authorities also stress that the right to withdraw one’s consent should be guaranteed. In addition, to be able to make informed choices, data subjects need to be informed about the data processing and good quality and accessibility of the information is paramount to this. Naturally, in
this regard, specific attention must be paid to individuals lacking legal capacity, such as minors. Finally, data controllers should be able to demonstrate that they have obtained valid consent.
Link to Opinion WP187 -- Go to Links Box
Definitions of - Data Subject-Data Controller + Data Processor
Definitions of:
Data subject (Data Protection Act)
This is the living individual who is the subject of the personal information (data).
Mi-Sol Park is NOT a living person.
Data controller (Data Protection Act)
A person who determines the purposes for which, and the manner in which, personal information is to be processed. This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons.
Data processor (Data Protection Act)
A person, who processes personal information on a data controller's behalf. Anyone responsible for the disposal of confidential waste is also included under this definition.
Office of the Data Potection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, Ireland. email info@dataprotectio.ie
Data subject (Data Protection Act)
This is the living individual who is the subject of the personal information (data).
Mi-Sol Park is NOT a living person.
Data controller (Data Protection Act)
A person who determines the purposes for which, and the manner in which, personal information is to be processed. This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons.
Data processor (Data Protection Act)
A person, who processes personal information on a data controller's behalf. Anyone responsible for the disposal of confidential waste is also included under this definition.
Office of the Data Potection Commissioner, Canal House, Station Road, Portarlington, Co. Laois, Ireland. email info@dataprotectio.ie
How do I know whether the Data Protection Act applies to my business/organisation?
How do I know whether the Data Protection Act applies to my business/organisation?
In general, the Data Protection Act applies to all organisations (including individuals, such as self-employed financial advisors and accountants) which hold or use personal data (that is, information about individuals). Personal data will include information about your staff, your customers or clients or anyone else with who you have dealings in the course of your business or professional activities. Even if you simply hold membership lists for social or other clubs or charities, you also have to comply with at least some of the provisions of the DPA.
The only exception is where, as an individual, you hold personal information only for domestic reasons (eg an address book or Christmas card list) in which case the DPA does not apply at all.
The only exception is where, as an individual, you hold personal information only for domestic reasons (eg an address book or Christmas card list) in which case the DPA does not apply at all.
One of the requirements of the DPA is that individuals and organisations that are processing personal data need to “notify” the Information Commissioner that you are doing so, and the purpose of that processing. There are exceptions to this rule where you are an organisation holding personal information only for:
- staff administration (including payroll)
- advertising, marketing and public relations for your own business
- accounts and records (some not-for-profit organisations)
The Information Commissioner's website to find out will give further guidance on whether the Act applies to you, and whether you need to notify. Alternatively, you may call the Commissioner's Notification Helpline on 01625 545740.
Subscribe to:
Posts (Atom)