Data transfer to third parties - declaration of consent by the data subject


In our article on creating a consent form, you will learn everything you need to know to create suitable templates yourself. In particular, we address the transfer of data to other entities and highlight some problems that arise in everyday data protection practice.

What do you have to consider when passing on data to third parties?

According to the GDPR, data transfer to third parties is only possible with great difficulty. As a rule, data may only be transferred if this is necessary for the performance of a contract or if the data subjects have given their consent.

However, in order to actually be able to transfer data to third parties in a legally secure manner on the basis of necessity for the fulfillment of a contract, a narrow standard of review must be applied. In the area of e-commerce, for example, the transfer of customer data to DHL for the purpose of shipping to the customer is permissible, but only such data as is really necessary for the fulfillment of this obligation. Accordingly, the address may be transmitted but not the customer's e-mail address.

It is also problematic if the data transfer is necessary for the fulfillment of the contract, but the data subject did not expect this. For example, when booking a seminar with a certificate of completion (from a third-party provider), the transfer of data may be necessary. However, a data subject might expect otherwise. This becomes particularly problematic in the case of a transfer of personal data to third countries, where the standard of assessment is likely to be much narrower. Ultimately, the necessity of the transfer would fail in many cases already because the fulfillment would also have been possible with an intra-European service.

In order to rule out all of these legal uncertainties, it is advisable to inform customers and data subjects as best as possible before concluding a contract or to obtain a declaration of consent.

However, such a declaration of consent is subject to certain conditions. If these requirements are not met the consent is deemed not to have been given.

Consent must be given unambiguously (1) voluntarily (2) by the fully informed (3) data subject. In addition, the data subject must be informed of the general rights (4) and the right to withdraw consent later (5).

Inaction or silence on the part of the data subject can therefore in no way be construed as consent, as this would in no case be unambiguous consent. However, consent can also be misleading if it is given or hidden together with other declarations.

Furthermore, consent must not be given "under duress." This is particularly problematic in the case of processing for advertising purposes. For example, in many cases, the processing of data for the purpose of subsequently sending advertising messages to the recipient is not a prerequisite for conducting a sweepstakes. This is true even if the raffle is based on the e-mail address.

The original purpose is the implementation of the raffle. Sending (subsequent) promotional messages is an additional new - so to speak unnecessary - purpose for processing the data.

It becomes problematic if participation in the sweepstake is linked to the granting of consent, because then the consent is no longer completely voluntary and invalid.

Consent without comprehensive information of the data subjects (e.g. "I consent to company A processing my data at its own discretion and passing it on to third parties") is also not effective. This is judged even more strictly for special categories of data (e.g. health data) than for "normal" data. For such special categories of data it must be stated in detail what exactly is done with which data.

The data subjects must also be informed that they can revoke their voluntarily given consent at any time. Information must also be provided about the form and manner of revocation.

In addition, information must be provided about the rights existing under the GDPR on all sides, including in any case the right to erasure, rectification, information and blocking of personal data.

The following declarations of consent must be supplemented with the general rights and the right of revocation. The examples do not claim to be complete or correct and always require an individual assessment of the situation.

Example 1 (e-mail address)

I hereby consent to the transmission of my e-mail address to partner companies for the purpose of sending me information and offers in the area of open source software by e-mail.

Example 2 (third country)

I hereby consent to the transfer of my personal data (name, address, date of birth, handwritten examination) to the test center provider XY based in the USA - for the purpose of evaluating my examination performance and, if applicable, issuing a certificate of my successful examination. I am aware that no adequate level of protection can be guaranteed in the event of data transfer to the USA and that I may not be able to enforce my rights against the data recipient in the USA, or only in part. I understand that this presents a number of risks in processing my personal data, including but not limited to the risk of further data transfer, disclosure or processing for other purposes. There is also a risk that data already transferred may not be deleted, in whole or in part, by the data recipient in the United States, even if I later withdraw that consent.

At Glasskube, no data is shared with third parties; you have full control over your data. Would you like to learn more? We look forward to meeting you during a free initial consultation!

Support Glasskube
By leaving us a Star on GitHub
Star us
Glasskube Newsletter

Sign-Up to get the latest product updates and release notes!

Our solutions for reliable
and scalable infrastructure.

Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.

Outdated software or technical debt?

Turn on autopilot