Control over our personal data

AdminPress and Publications

“This app asks authorization to access your location, your pictures and videos, your online shopping, your bank accounts, your contacts, your appointments…ultimately, your life”. TAKE IT or LEAVE IT.

If you have ever downloaded an app on a mobile phone or a tablet, you are probably familiar with this message (that we have dramatized a bit).

With the entry into force of the General Data Protection Regulation passed by the European Union several months ago, things will change a lot, mainly regarding the options we have to face this intrusion in our privacy (just as it will also happen with the ubiquitous cookies).

First of all, one must remember that most files and records we have in our devices store data that identify or characterize us. Apart from personal data from ourselves and others (names, addresses, emails, phone numbers, pictures and videos), we also store other data (many times without even knowing it) such as our location or the webpages we browse, that can provide information regarding where we live, we study, we work, addresses of our social acquaintances, our hobbies, interests, consumer preferences, etc.

Personal data have become high-economic-value elements for some organizations, which is why the European Union has passed this Regulation so that, from the date of application (May 25, 2018) onwards, users will have more power over their personal data. Among others, it means that we will be able to know when and why an organization wants to obtain and process our personal data, and then decide whether we consent or oppose.

This will be accomplished thanks to a series of personal data protection principles and dispositions that organizations processing this kind of data will have to respect if they don’t want to take the risk of receiving very elevated fines.

In my view, the most important principles are: the free, specific, informed and unequivocal consent, granted through a statement or a clear positive action; the principle of privacy by design and by default, and the principle of data minimisation.

All this means that:

  • Consent must be informed, meaning that at the moment of being asked for our consent, we must be clearly and transparently informed of, among others, who will store our data, the purpose of processing (what they will do with it), for how long they will store it and who we can contact if we have any doubt or claim. If we decide to authorize it, it must be clearly and unambiguous(*), meaning that the consent solicitation can’t be mixed with any other information or declaration, and must be perfectly differentiated between them. Besides, it must be given through a declaration or a clear affirmative action, for example, if the consent if granted by ticking a box, the box must be unticked by default, so that we tick it only if we want to accept.
  • Authorizing the processing of our data must not be a necessary requirement to keep browsing a website or to download an app, that is, we will be able to do it even if we decide to tick the “I don’t accept” option or we do not tick the box (free consent), unless the data we are asked to provide is required to fulfil the purpose of an app or a webpage, as for example, they will need our address to send us a product, our bank details to pay what we have bought, or our tax details for the invoice.
  • Whether because we have given our consent, or because there is another reason to process our data, they won’t be able to keep it for more time, nor to get more data, nor to allow access to it to more persons than what is strictly necessary to fulfil the purpose of the processing (data minimising). (2)

However, all this will not be useful if we do not inform ourselves, if we don’t make ourselves aware of what our rights are, and if we don’t exercise them responsibly.

All this will not happen until May 25th, 2018. Until then…take it or leave it.

Written by Carolina Marcela Reyes, Lawyer, Adarve Abogados