EU data protection rules, also known as the "EU General Data Protection Regulation", describe different situations in which businesses or institutions are allowed to collect or reuse information about citizens.
In particular, the European Commission sets out five conditions:
-If they have entered into a contract with you - for example, a contract for the supply of goods or services (e.g. when you buy a product online), or an employment contract.
-If they comply with a legal obligation - e.g. where the processing of your data is a legal obligation, such as where your employer provides information about your monthly earnings to the social security agency so that you have social security cover.
-If the processing of the data serves your vital interests - e.g. when it comes to protecting your life.
-If this is necessary to complete a public task - which is mainly part of the tasks of public services such as schools, hospitals and municipalities.
-If there are legitimate interests - e.g. if your bank uses your personal data to check whether you can have a savings account with a higher interest rate.
Please note that in all other cases, the company or institution must seek the consent of the citizen before collecting or reusing personal data.
Agreement on data processing - consent
What happens when a business or institution asks for a citizen's consent? When a business or organisation asks for consent, the citizen must explicitly state that he or she agrees, for example by signing a consent form or by selecting "yes" when asked to answer yes/no on a website. Note that it is not enough to simply indicate that you do not agree, for example by marking the option that you do not want to receive emails for marketing purposes. It must, it is strongly emphasised, expressly state that it agrees to the storage/re-use of its data for this purpose.
What information must be given to the citizen before consent is given? The European Commission identifies six elements that the company or institution must provide before the citizen gives consent. More specifically, the following information must also be provided before consent is given:
-Information about the company/entity that will process your data, including their contact details and the contact details of the data protection officer (DPO), if any.
-The reason why the business/entity will use your personal data.
-The period for which they are going to keep your personal data.
-Details of any other business or entity that will receive your personal data.
-Information about your rights regarding the protection of your data (access, correction, deletion, termination, withdrawal of consent).
-All this information must be provided in a clear and understandable way.
Withdrawal of consent for the use of personal data and the right to prohibit their processing - When can a citizen withdraw consent for the use of personal data?
It can be done at any time by contacting the data controller (the person or body that manages the personal data) and requesting that the consent be withdrawn. Once the permission is revoked, the business/entity can no longer use the personal data.
However, please note that where an entity processes your personal data in the context of its own legitimate interests or in the public interest or on behalf of an official authority, there may be a right to prohibit the processing. In some specific cases, the public interest may prevail and the business or body may be allowed to continue to use the personal data.
For example, it is mentioned that this could happen in the case of scientific research and statistical data collection by a public authority as part of its official duties.
As regards the direct sending of promotional emails promoting specific brands or products, prior consent is required. However, if the citizen is already a customer of a particular business, the business may send him or her direct promotional e-mails about its own similar products or services. The citizen has the right to refuse at any time to receive such direct marketing, in which case the business must immediately stop using his or her data.
In any case, the first time the company or institution contacts the citizen, it must inform him or her of the right to prohibit the use of your personal data.
Special rules for children
If children want to use online services, such as social networking sites, downloading music or games, parental consent is often required. A child no longer needs parental consent once he or she reaches the age of 16 (in some EU countries this age limit may be 13). Checks on parental consent must be effective, for example by sending a check message to the parents' email address.
Access to personal data
Citizens can request access to their personal data held by a company or institution, and have the right to receive a copy of the data, free of charge, in an easy-to-use format. A reply must be given within one month, accompanied by a copy of the personal data and any relevant information on how the data were used or are being used.
What are cookies?
Cookies are small text files that a website asks the browser using the internet to store on its computer or mobile device, the same notice said. They are widely used to make websites work more efficiently which is achieved by storing the internet user's preferences. Cookies are also used to track his web browsing, create user profiles and then provide targeted advertising based on his preferences.
It is clarified that any website wishing to use cookies must first ask for the internet user's consent before installing them on their computer or mobile device. A website cannot simply inform that it uses cookies or explain how to disable them. It must also explain how the information collected through them will be used.
It should also be possible to withdraw consent. In this case, the website must provide you with certain minimum services, e.g. access to a part of it.
Please also note that consent is not required for all cookies. For cookies used solely for the transmission of certain information, consent is not required.
These are, among other things, cookies used for "load balancing" (which allow requests from an internet server to be processed by a group of machines instead of just one machine). Cookies that are strictly necessary for the provision of an internet service explicitly do not require consent either. This is the case, for example, for cookies used when an internet user fills in an online form or when using a shopping cart in e-commerce.