Consent, legitimate interest and purpose limitation

Your data, your rules: Your consent is becoming more important

Consenting to data processing in practice: You decide what happens to your data
A quiz on a social network has caught your attention: It’s supposed to help you discover your hidden talents and interests. Before you begin, you’re asked in clear and easy-to-understand language if you consent to the processing of your personal data to be able to complete the questionnaire. After you finish the quiz, there’s a second question: May the provider send your results to other companies, so they can analyse it for political ads? You can give your consent for this specific use of your data separately, if you so choose.

That’s how your consent can be obtained: Comprehensible information and a clear purpose limitation are the foundations for the processing of your personal data.

Your decision matters: This is why your consent to the processing of your data is so important

Your data can only be processed under certain conditions. One of the reasons why companies can use your data is because you gave your consent. Other reasons are contractual obligations, public interests or the legitimate interest of third parties. Giving consent, though, is really all about you: You can decide if you agree to the processing of your personal data or not. If a company wants to receive your consent, they are obliged to ask for it in clear and concise language. For very sensitive data, companies require your consent even before they start processing it. In other cases, it’s enough if your behaviour suggests that you wouldn’t deny giving your consent. Either way, you always have the right to revoke your consent.

Giving consent to the processing of your data has to be voluntary. That also includes the idea of a “prohibition of coupling”: Giving your consent to the use of your data for one purpose may not be “coupled” with your consent for an unrelated processing of your data. There’s a lot of open questions about this concept but what it could help with is this: Imagine you’ve made an order online and in order to complete the purchase, you’re required to also allow the processing of your data for a marketing newsletter — a completely separate process not necessary for the online purchase. Such coupling could be prohibited with the GDPR.

Purpose limitation: Every time your data is processed, separate requests for consent are required

Another requirement for the processing of your personal data is called “purpose limitation”. This means that your data can only be used for a specific purpose and may not be passed along for other purposes. You need to express your consent separately for every new purpose, so giving consent for multiple purposes at once is not permitted.

A practical example: The idea of purpose limitation is meant to prevent your data from getting passed on from one social network to another without your approval. Social networks have to ask you every time they want to use your data for different purposes such as targeted ads or political campaigns. That includes information like your friends lists, posts, likes and contacts.

“Legitimate interest”: An unwieldy term to describe legal data processing without your consent

In many cases, your consent is necessary for the legal processing of your data. Yet, companies do have the option to declare a “legitimate interest” to (further) process your personal data. The General Data Protection Regulation doesn’t clearly state when such a legitimate interest is justified. Thus, there are still many open questions about legitimate interests that will have to be answered by the courts. Currently, the prevention of fraud, the execution of a contract or direct advertising are being discussed as legitimate interest. In these cases, data-processing companies have to weigh if there might be any reasons from your point of view that wouldn’t allow the processing of your data. Good to know: You can always object to the processing of your personal data when that’s based on a company’s legitimate interests. And in the case of direct marketing, a company has to comply with this requests, no questions asked — there doesn’t need to be any balancing or weighing with your rights.

Who gets your data for which purpose? The decision is often yours!

The General Data Protection Regulation places a great emphasis on your consent. In many cases, giving consent actually enables the processing of your data in first place. This way, you get to choose if you trust a data-processing company with your data or not. It’s your decision to say whether you agree to have your data processed.

Maybe you’ll find yourself disagreeing with the way a certain provider handles your data but at the same time, there’s no other provider available. The General Data Protection Regulation doesn’t offer a good solution for this conundrum. However, strengthening the idea of consent should ensure that those providers willing to inform you openly and in clear language about the processing of your data prevail on the market because they receive your consent.

The dictionary contains more details and has sources regarding the concepts of consent, legitimate interest and purpose limitation.