Conditions for consent
A main condition for the processing of personal data is that the data subject has unambiguously agreed to the processing or given his consent (cf. Article 8.1 in the DPA).
A basic requirement for processing personal data based on consent is that the data subject must be well-informed about the processing, and must have an opportunity to object to it. Although written consent is not required, it is often recommended in practice (Data Protected, 2013). It is the responsibility of the controller to ensure that the processing of personal data is done in accordance with the requirements mentioned in Article 8 in the DPA, i.e. “General rules regarding permission for processing of personal data”.
Exemptions from consent
The processing of personal data may be exempted from consent if e.g. the processing is necessary for a task that is carried out in the public interest (cf. Article 8.5 in the DPA). The Data Protection Authority can moreover authorize the use of alternatives to consent if the processing of data is apparently in the vital interests of the public or individuals, including the interests of the data subject.
The processing of sensitive personal data is prohibited unless one of the conditions in Article 8.1 in DPA, and one or more of the requirements in Article 9 of the DPA has been fulfilled. For instance, a condition stated in Article 9.9 in the DPA is that the processing is necessary for the purposes of statistical or scientific research, provided that the privacy of individuals is protected by means of specific and adequate safeguards.
- Data Protected. 2013. Iceland [Internet], Linklaters. Available at: <https://clientsites.linklaters.com/Clients/dataprotected/Pages/Iceland.aspx>. [Accessed 15 January 2014].
- Rules no. 698/2004. (2004) Rules on the obligation to notify and processing which requires a permit no. 698/2004 [Internet]. Available at: <http://www.personuvernd.is/information-in-english/greinar/nr/441>. [Accessed 15 January 2014].
- The Data Protection Act (DPA). (2000) Act on the Protection of Privacy as regards the Processing of Personal Data, No. 77/2000 of May 10, 2000 [Internet]. Available at: <http://www.personuvernd.is/information-in-english/greinar/nr/438>. [Accessed 15 January 2014].
- The Icelandic Data Protection Authority website. Personuvernd [Internet]. Available at: <http://www.personuvernd.is/>. [Accessed 15 January 2014].
- The National Bioethics Committee website. The Bioethics Committee System [Internet]. Available at: <http://www.vsn.is/en/content/bioethics-committee-system>. [Accessed 15 January 2014].