General Data Protection Regulation

INTRODUCTION REGULATION

or an oral statement. This could include ticking a box when visiting an

internet website, choosing technical settings for information society

services or another statement or conduct which clearly indicates in

this context the data subject’s acceptance of the proposed processing

of his or her personal data. Silence, pre-ticked boxes or inactivity

should not therefore constitute consent. Consent should cover all

processing activities carried out for the same purpose or purposes.

When the processing has multiple purposes, consent should be given

for all of them. If the data subject’s consent is to be given following a

request by electronic means, the request must be clear, concise and

not unnecessarily disruptive to the use of the service for which it is

provided.

(33) It is often not possible to fully identify the purpose of personal data

processing for scientific research purposes at the time of data collection.

Therefore, data subjects should be allowed to give their consent to

certain areas of scientific research when in keeping with recognised

ethical standards for scientific research. Data subjects should have

the opportunity to give their consent only to certain areas of research

or parts of research projects to the extent allowed by the intended

purpose.

(34) Genetic data should be defined as personal data relating to the

inherited or acquired genetic characteristics of a natural person which

result from the analysis of a biological sample from the natural person

in question, in particular chromosomal, deoxyribonucleic acid (DNA) or

ribonucleic acid (RNA) analysis, or from the analysis of another element

enabling equivalent information to be obtained.

(35) Personal data concerning health should include all data pertaining to

the health status of a data subject which reveal information relating

to the past, current or future physical or mental health status of the

data subject. This includes information about the natural person

collected in the course of the registration for, or the provision of, health

care services as referred to in Directive 2011/24/EU of the European

Parliament and of the Council (9) to that natural person; a number,

symbol or particular assigned to a natural person to uniquely identify

the natural person for health purposes; information derived from the

testing or examination of a body part or bodily substance, including

from genetic data and biological samples; and any information on,

for example, a disease, disability, disease risk, medical history, clinical

treatment or the physiological or biomedical state of the data subject

independent of its source, for example from a physician or other health

professional, a hospital, a medical device or an in vitro diagnostic test.

(36) The main establishment of a controller in the Union should be the

place of its central administration in the Union, unless the decisions

on the purposes and means of the processing of personal data are

taken in another establishment of the controller in the Union, in which

case that other establishment should be considered to be the main

establishment. The main establishment of a controller in the Union

should be determined according to objective criteria and should imply

the effective and real exercise of management activities determining

themain decisions as to the purposes andmeans of processing through

stable arrangements. That criterion should not depend on whether the