(32) Ba cheart toiliú a thabhairt trí ghníomh soiléir dearfach lena mbunaítear cur in iúl a thugann a t-ábhar sonraí faoi shaoirse agus atá sonrach, feasach agus gan athbhrí á rá go n-aontaíonn an t-ábhar sonraí le sonraí pearsanta a bhaineann leis nó léi a phróiseáil, amhail trí ráiteas scríofa, lena n-áirítear trí mheán leictreonach, nó ráiteas ó bhéal. D'fhéadfaí go n-áireofaí air sin tic a chur i mbosca nuair a thugtar cuairt ar shuíomh gréasáin idirlín, socruithe teicniúla a roghnú do sheirbhísí na sochaí faisnéise nó trí ráiteas nó iompar eile lena gcuirtear in iúl go soiléir sa chomhthéacs sin go dtoilíonn an t-ábhar sonraí leis an bpróiseáil atá beartaithe a dhéanamh ar a shonraí pearsanta nó ar a sonraí pearsanta. Dá bhrí sin, níor cheart gurbh ionann agus toiliú iad tost, boscaí ar cuireadh tic leo roimh ré nó neamhghníomhaíocht. Ba cheart don toiliú gach gníomhaíocht próiseála arna déanamh chun na críche céanna nó chun na gcríoch céanna a chumhdach. I gcás ina bhfuil an iliomad críoch leis an bpróiseáil, ba cheart toiliú a thabhairt dóibh uile. Má tá an t-ábhar sonraí le toiliú leis an bpróiseáil tar éis iarraidh trí mheán leictreonach a fháil chuige sin, ní mór don iarraidh sin a bheith soiléir achomair agus níor cheart di cur isteach barraíocht ar úsáid na seirbhíse ar ina leith a tugadh an toiliú.
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(33) Is minic nach féidir críoch próiseála sonraí pearsanta chun críocha an taighde eolaíoch a shainaithint go hiomlán tráth bhailiú na sonraí. Dá bhrí sin, ba cheart a cheadú do na hábhair sonraí a dtoiliú a thabhairt maidir le réimsí áirithe den taighde eolaíoch i gcomhréir le caighdeáin eiticiúla aitheanta i ndáil leis an taighde eolaíoch. Ba cheart an deis a bheith ag na hábhair sonraí gan a dtoiliú a thabhairt ach do réimsí áirithe taighde nó do chodanna de thionscadail taighde, a mhéid a cheadaítear sin leis an gcríoch a beartaíodh.
(33) It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
(42) I gcás ina bhfuil próiseáil bunaithe ar thoiliú an ábhair onraí, ba cheart don rialaitheoir a bheith in ann a thaispeáint gur thoiligh an t-ábhar sonraí leis an oibríocht próiseála. Go háirithe i gcomhthéacs dearbhú i scríbhinn maidir le hábhar éigin eile, ba cheart coimircí a bheith ann chun a d'áiritheodh go bhfuil an t-ábhar sonraí ar an eolas maidir leis an bhfíric go bhfuil toiliú tugtha aige nó aici agus go bhfuil sé nó sí ar an eolas faoin méid atá an toiliú tugtha. I gcomhréir le Treoir 93/13/CEE ón gComhairle (10), ba cheart dearbhú tola, agus é curtha le chéile roimh ré ag an rialaitheoir, a chur ar fáil i bhfoirm shothuigthe inrochtana, ag úsáid teanga shoiléir agus éasca agus níor cheart téarmaí éagóracha a bheith ann. Ionas go mbeidh an toiliú feasach, ba cheart don ábhar sonraí a bheith ar an eolas, ar a laghad, faoi chéannacht an rialaitheora agus faoi chríocha na próiseála a bheartaítear a dhéanamh ar na sonraí pearsanta. Níor cheart breathnú ar an toiliú mar thoiliú a tugadh faoi shaoirse mura bhfuil rogha atá dílis nó saor ag an ábhar sonraí nó mura bhfuil sé nó sí in ann diúltú don toiliú a thabhairt nó é a tharraingt siar gan díobháil.
(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC [10] a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
(43) Chun a áirithiú go dtugtar an toiliú sin faoi shaoirse, níor cheart toiliú a bheith ina fhoras bailí dlíthiúil le sonraí pearsanta a phróiseáil i gcás sonrach ina bhfuil éagothromaíocht shoiléir idir an t-ábhar sonraí agus an rialaitheoir, go háirithe i gcás inar údarás poiblí é an rialaitheoir agus ní dócha, dá bhrí sin, gur tugadh an toiliú sin faoi shaoirse sna cúinsí uile a bhain leis an staid shonrach sin. Toimhdítear nár tugadh toiliú faoi shaoirse más rud é nach gceadaítear leis toiliú ar leithligh a thabhairt d'oibríochtaí próiseála sonraí pearsanta éagsúla in ainneoin gurb iomchuí é sin sa chás ar leith, nó más rud é go bhfuil comhlíonadh conartha, lena n-áirítear cur ar fáil seirbhíse, ag brath ar an toiliú sin, in ainneoin nach dteastaíonn toiliú den sórt sin le haghaidh comhlíonadh den sórt sin.
(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 7(3) GDPR:
7.3.4 Providing mechanism to modify or withdraw consent
Control
The organization should provide a mechanism for PII principals to modify or withdraw their consent.
Implementation guidance
The organization should inform PII principals of their rights related to withdrawing consent (which may vary by jurisdiction) at any time, and provide the mechanism to do so.
[…]
Sign in
to read the full text