Unless provided for by law, or necessary to deliver a service or for other legitimate purposes, personal information may only be used based on informed consent.
- Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Internet intermediaries should limit the processing of personal user data to what is necessary in the context of a clearly defined purpose, which is explicitly communicated to all users in a proactive manner. The processing, including collection, retention, aggregation, storage, adaptation, alteration, linking or sharing of personal data shall be based on the free, specific, informed and unambiguous consent of the user, with respect to a specific purpose, or on another legitimate basis laid down by law, as prescribed by Convention 108.
- Personal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes except: a) with the consent of the individual whose personal information is collected; b) when necessary to provide a service or product requested by the individual; or, c) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect.
- The collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.
- The Committee of Ministers therefore, under the terms of Article 15.b of the Statute of the Council of Europe, recommends that member States, in consultation with private sector actors and civil society, develop and promote coherent strategies to protect freedom of expression, access to information and other human rights and fundamental freedoms in relation to search engines in line with the Convention for the Protection of Human Rights and Fundamental Freedoms (...), in particular by engaging with search engine providers to carry out the following actions: (...) – enhance transparency in the collection of personal data and the legitimate purposes for which they are being processed; – enable users to access easily, and, where appropriate, to correct or delete their personal data processed by search engine providers; – develop tools to minimise the collection and processing of personal data, including enforcing limited retention periods, adequate irreversible anonymisation, as well as tools for the deletion of data.
- There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
- Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information.
- Directing targeted political advertising, based on personal data, at individuals through the media should not be allowed, especially during election periods, unless those individuals have consented to the use of their personal data for this purpose.
- The data processing in both electoral and political advertising (in particular microtargeting advertising) context shall comply with data protection principles under Article 5 of Convention 108+. These personal data must be processed in compliance with purpose limitation and data minimisation principles. In particular, according to Recommendation CM/Rec(2012)4 of the Committee of Ministers on the protection of human rights with regard to social networking services, social networks should secure the informed consent of their users before their personal data is shared with other categories of people or companies or used in ways other than those necessary for the specified purposes for which they were originally collected.
- Intermediaries should ensure data security and privacy, and ensure that the use of data is in compliance with international human rights law and has the fully informed consent of data providers.
- In line with the Convention 108 and according to Recommendation CM/Rec(2012)4 on the protection of human rights with regard to social networking services and Recommendation CM/Rec(2016)5 on Internet freedom, social network services should not process personal data beyond the specified purposes for which they have collected it. Electoral campaigning constitutes in most cases a distinct purpose for which distinct consent is required.
- Users’ consent to the collection and commercialisation of their personal information must latch on a genuine understanding of the economic and political value of their choice.
- The individual’s online behaviour cannot be monitored without the free, specific, informed and unambiguous consent of the data subject or other legitimate basis laid down by law according to Article 5(2) of Convention 108+. Furthermore, when the processing concerns sensitive categories of data such as information revealing political opinions, an explicit consent may also be required as complementary protection (Article 6 of Convention 108+).