End User Consents Under the GDPR – Part 3: Guidelines for Users

Mar 16, 2017

The EU General Data Protection Regulation (GDPR) imposes new stricter rules on end user consent as a basis for processing personal data. Nevertheless, it is necessary that also the users themselves take reasonable efforts to control their personal data and privacy. Although it is the responsibility of a data controller to make the information concerning the consent and processing of personal data easily available to the user, a user also needs to get acquainted with information to be able to make informed decisions. For example, if the user ticks a box next to a writing: “I hereby give my consent for X Oy to process my personal data for identifying my personal interests and target more suitable advertisements to me”, it can be regarded as a consent. This can be assumed to be an expression of consent, even in the case that the user would not have read the Privacy Policy or the text of the tick box by which the consent is collected.

The GDPR in general approaches end user consent from the perspective that the user is provided with sufficient information concerning the processing of personal data. If all requirements for a valid consent are met, the processing of personal data can be based on the consent of the user. Additionally, the GDPR provides the user with a right to withdraw consent any time and therewith can limit possible harms done by given consents.

It is important for users to familiarize themselves with available information, to be able to execute their rights. In case the information presented raises some doubts relating to the protection of personal data or privacy, the user should seek other options for the service or contact the data controller to receive more information.

Here are three guidelines to help the user to avoid unpleasant surprises while registering into a service:

  1. Read all formulations of consent presented to you and have a look at the Privacy Policy. Check, inter alia, the following things:
  • Who is the data controller i.e. the company processing personal data and how can they be contacted? This should be found in the Privacy Policy. It should raise questions, if the Privacy Policy does not define the responsible data controller for guaranteeing the legitimacy of the processing.
  • For which purposes are personal data being collected? In case the processing is not related to the performance of the actual contract, a data controller might collect a consent for the processing while registering for the service. In case the purposes for the data processing seem unclear or make you feel otherwise unpleasant, consider seeking other options for the service.
  • Which type of data is being collected? The Privacy Policy should define which kind of personal data is collected. You should always carefully consider whether you should provide, for example, health related personal data or information about your financial situation to a service.
  1. Check the privacy settings. When you begin to use a service, for example download a mobile app and take it into a use, you should always check the privacy settings. If needed modify them in a way which makes you feel comfortable with the use of your data. The privacy settings should be set to a position that enables maximum protection of privacy and data protection under the GDPR by default.
  2. Educate your children about data protection and privacy issues if they are using for example online services or mobile apps. You can check the privacy policies and privacy settings together and talk about the issues relating to privacy in online environments. To read more about children’s privacy under the GDPR, check our other blog post.

Read also the first and second part of the series “End User Consents Under the GDPR”.


Sini Mickelsson, Privacy Specialist